Summary: | Implement X-Frame-Options | ||
---|---|---|---|
Product: | WebKit | Reporter: | Adam Barth <abarth> |
Component: | Frames | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | Normal | CC: | peaceable_whale, sam, spamfagos, steffen.weber |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx |
Description
Adam Barth
2009-02-11 17:30:12 PST
This seems to be done in http://trac.webkit.org/changeset/42333 Indeed. I didn't remember this bug when I implemented it. My bad. The current implementation of X-Frame-Options is not complete! IE8+ also supports ALLOW-FROM origin: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx Are there are plans to implement this in webkit? X-Frame-Options is currently working its way though the IETF. I expect we'll implement whatever the final standard says, but it's not entirely clear what that will be at the moment. Thanks for your interest. |