Bug 156625

Summary:

Remove support for X-Frame-Options in `<meta>`

Product:

WebKit

Reporter:

Mike West <mkwst>

Component:

WebCore Misc.

Assignee:

Brent Fulgham <bfulgham>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, buildbot, cdumez, commit-queue, dbates, esprehn+autocc, kangil.han, rniwa, webkit-bug-importer, wilander

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Archive of layout-test-results from ews101 for mac-yosemite	none
Archive of layout-test-results from ews104 for mac-yosemite-wk2	none
Patch v2	darin: review+

Mike West

Reported 2016-04-15 06:26:18 PDT

Firefox and Edge follow the RFC's suggestion (https://tools.ietf.org/html/rfc7034#section-4) to ignore the 'X-Frame-Options' header when delivered as `<meta http-equiv="...">` (and have done so from their initial implementations). Blink has just removed this functionality (https://crbug.com/603002). The risks were outlined in https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/R1gkjKZI0J8, and seem minimal (~150 domains use the feature, period). Perhaps WebKit could consider removing support as well?

Attachments
Patch (42.25 KB, patch) 2016-04-15 09:54 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews101 for mac-yosemite (775.10 KB, application/zip) 2016-04-15 10:39 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews104 for mac-yosemite-wk2 (793.30 KB, application/zip) 2016-04-15 10:41 PDT, Build Bot	no flags	Details
Patch v2 (42.97 KB, patch) 2016-04-15 10:54 PDT, Brent Fulgham	darin: review+	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-04-15 08:38:49 PDT

<rdar://problem/25748714>

Brent Fulgham

Comment 2 2016-04-15 09:08:27 PDT

I think this seems reasonable, and easy to do. I'll propose a patch.

Brent Fulgham

Comment 3 2016-04-15 09:54:48 PDT

Created attachment 276480 [details] Patch

Build Bot

Comment 4 2016-04-15 10:39:04 PDT

Comment on attachment 276480 [details] Patch Attachment 276480 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/1164210 New failing tests: inspector/console/x-frame-options-message.html

Build Bot

Comment 5 2016-04-15 10:39:09 PDT

Created attachment 276484 [details] Archive of layout-test-results from ews101 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5

Build Bot

Comment 6 2016-04-15 10:41:11 PDT

Comment on attachment 276480 [details] Patch Attachment 276480 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/1164213 New failing tests: inspector/console/x-frame-options-message.html

Build Bot

Comment 7 2016-04-15 10:41:16 PDT

Created attachment 276485 [details] Archive of layout-test-results from ews104 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5

Brent Fulgham

Comment 8 2016-04-15 10:54:15 PDT

Created attachment 276486 [details] Patch v2

Brent Fulgham

Comment 9 2016-04-15 10:54:46 PDT

Comment on attachment 276486 [details] Patch v2 Rebaselined console test output.

Brent Fulgham

Comment 10 2016-04-15 10:57:38 PDT

John and I discussed this offline, and he agrees that we should change to match Blink here because our current behavior is against spec, and this quirk is rarely used.

Darin Adler

Comment 11 2016-04-15 11:04:32 PDT

Comment on attachment 276486 [details] Patch v2 View in context: https://bugs.webkit.org/attachment.cgi?id=276486&action=review > Source/WebCore/dom/Document.cpp:3308 > + addConsoleMessage(MessageSource::Security, MessageLevel::Error, "X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.", requestIdentifier); This message seems a bit oblique. It states the rule but never explicitly mentions why the rule is being cited; because there is a meta element that has X-Frame-Options in it. It also doesn’t seem like this will point the developer right the meta element with the X-Frame-Options value that is being ignored. Maybe our tools have some way of doing that.

Brent Fulgham

Comment 12 2016-04-15 12:47:24 PDT

Comment on attachment 276486 [details] Patch v2 View in context: https://bugs.webkit.org/attachment.cgi?id=276486&action=review >> Source/WebCore/dom/Document.cpp:3308 >> + addConsoleMessage(MessageSource::Security, MessageLevel::Error, "X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.", requestIdentifier); > > This message seems a bit oblique. It states the rule but never explicitly mentions why the rule is being cited; because there is a meta element that has X-Frame-Options in it. It also doesn’t seem like this will point the developer right the meta element with the X-Frame-Options value that is being ignored. Maybe our tools have some way of doing that. Our tools are capable of identifying the correct <meta> element that caused the console message. You can try it out by using any of the 'http/tests/security/XFrameOptions" tests in this bug. Clicking on this new console messages takes you to the offending <meta> element.

Brent Fulgham

Comment 13 2016-04-15 12:49:46 PDT

Committed r199605: <http://trac.webkit.org/changeset/199605>

Darin Adler

Comment 14 2016-04-15 12:56:05 PDT

Comment on attachment 276486 [details] Patch v2 View in context: https://bugs.webkit.org/attachment.cgi?id=276486&action=review >>> Source/WebCore/dom/Document.cpp:3308 >>> + addConsoleMessage(MessageSource::Security, MessageLevel::Error, "X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.", requestIdentifier); >> >> This message seems a bit oblique. It states the rule but never explicitly mentions why the rule is being cited; because there is a meta element that has X-Frame-Options in it. It also doesn’t seem like this will point the developer right the meta element with the X-Frame-Options value that is being ignored. Maybe our tools have some way of doing that. > > Our tools are capable of identifying the correct <meta> element that caused the console message. You can try it out by using any of the 'http/tests/security/XFrameOptions" tests in this bug. Clicking on this new console messages takes you to the offending <meta> element. That addresses the issue I raised in the third sentence (I am happy that I was wrong), but does not address the other issue I raised in the first two sentences. Can the message be reworded to be less oblique?

Brent Fulgham

Comment 15 2016-04-15 17:46:57 PDT

Comment on attachment 276486 [details] Patch v2 View in context: https://bugs.webkit.org/attachment.cgi?id=276486&action=review >>>> Source/WebCore/dom/Document.cpp:3308 >>>> + addConsoleMessage(MessageSource::Security, MessageLevel::Error, "X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.", requestIdentifier); >>> >>> This message seems a bit oblique. It states the rule but never explicitly mentions why the rule is being cited; because there is a meta element that has X-Frame-Options in it. It also doesn’t seem like this will point the developer right the meta element with the X-Frame-Options value that is being ignored. Maybe our tools have some way of doing that. >> >> Our tools are capable of identifying the correct <meta> element that caused the console message. You can try it out by using any of the 'http/tests/security/XFrameOptions" tests in this bug. Clicking on this new console messages takes you to the offending <meta> element. > > That addresses the issue I raised in the third sentence (I am happy that I was wrong), but does not address the other issue I raised in the first two sentences. Can the message be reworded to be less oblique? Hmm. Let me think about the wording and land something better in a follow-up patch. Do you have any suggestions? How about: "The X-Frame-Options '{Fill-in-the-blank} provided in a <meta> element was ignored because they may only be provided in an HTTP header sent with a document."

Brent Fulgham

Comment 16 2016-04-15 17:49:11 PDT

> "The X-Frame-Options '{Fill-in-the-blank} provided in a <meta> element was > ignored because they may only be provided in an HTTP header sent with a > document." Or maybe: "The X-Frame-Option {fill in blank} supplied in a <meta> element was ignored. X-Frame-Options may only be provided by an HTTP header sent with the document."

Brent Fulgham

Comment 17 2016-04-18 13:19:46 PDT

I spoke with Darin in person, and he agreed with the second choice. I'll land a patch with that change shortly.

Brent Fulgham

Comment 18 2016-04-18 16:08:49 PDT

Revised language of message: Committed r199696: <http://trac.webkit.org/changeset/199696>

Note You need to log in before you can comment on or make changes to this bug.