Doubleclick, among others, serves `X-Frame-Options: ALLOWALL` with the intent of allowing framing everywhere. We should accept it as a valid value rather than warning about it's invalidity.
Created attachment 190233 [details]
Comment on attachment 190233 [details]
Clearing flags on attachment: 190233
Committed r144105: <http://trac.webkit.org/changeset/144105>
All reviewed patches have been landed. Closing bug.
Why did we do this when it wasn't spec'd behavior?
See explanation in ChangeLog.
The ChangeLog explains the motivation but not necessarily why it was worth it, or why it was the right course of action.
Was it the right thing to do because IE supports it?
Was it the right thing to do because advertisers/trackers send the header and expect it to work?
Was it the right thing to do because we'd rather not clutter up the JS console?
If it was the right thing to do why has WebSec/WebAppSec not added it?