Bug 110857 - X-Frame-Options should accept ALLOWALL as a valid value.
Summary: X-Frame-Options should accept ALLOWALL as a valid value.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mike West
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-26 00:58 PST by Mike West
Modified: 2013-04-16 21:39 PDT (History)
7 users (show)

See Also:

Attachments
Patch (6.80 KB, patch)
2013-02-26 01:03 PST, Mike West 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2013-02-26 00:58:42 PST 
Doubleclick, among others, serves `X-Frame-Options: ALLOWALL` with the intent of allowing framing everywhere. We should accept it as a valid value rather than warning about it's invalidity.
Comment 1 Mike West 2013-02-26 01:03:31 PST 
Created attachment 190233 [details]
Patch
Comment 2 WebKit Review Bot 2013-02-26 14:02:02 PST 
Comment on attachment 190233 [details]
Patch

Clearing flags on attachment: 190233

Committed r144105: <http://trac.webkit.org/changeset/144105>
Comment 3 WebKit Review Bot 2013-02-26 14:02:06 PST 
All reviewed patches have been landed.  Closing bug.
Comment 4 Brady Eidson 2013-04-16 17:42:28 PDT 
Why did we do this when it wasn't spec'd behavior?
Comment 5 Adam Barth 2013-04-16 18:20:43 PDT 
See explanation in ChangeLog.
Comment 6 Brady Eidson 2013-04-16 21:39:36 PDT 
I see.

The ChangeLog explains the motivation but not necessarily why it was worth it, or why it was the right course of action.

Was it the right thing to do because IE supports it?
Was it the right thing to do because advertisers/trackers send the header and expect it to work?
Was it the right thing to do because we'd rather not clutter up the JS console?

If it was the right thing to do why has WebSec/WebAppSec not added it?