RESOLVED FIXED 186090
REGRESSION (r231479): Unable to buy Odeon cinema tickets in STP (bogus 'X-Frame-Options' to 'SAMEORIGIN') 
https://bugs.webkit.org/show_bug.cgi?id=186090
Summary REGRESSION (r231479): Unable to buy Odeon cinema tickets in STP (bogus 'X-Fra...
Sam Sneddon [:gsnedders]
Reported 2018-05-30 07:14:40 PDT
On https://www.odeon.co.uk I am unable to buy tickets in STP 56, but can in Safari 11.1 (13605.1.33.1.4). Ultimately, this fails with a frame navigation being refused because 'X-Frame-Options' is set to 'SAMEORIGIN'. Repro steps: 1. Load https://www.odeon.co.uk/ 2. Scroll to "Quick Links", choose any cinema/film/date, hit "Go". 3. Click on one of the times displayed below. 4. Click on the "Book now" link that appears. 5. Click on "Book as guest" after navigation. 6. Select "1" adult ticket (this probably doesn't matter) and click "Confirm tickets". 7. Choose seat (if required), click "Continue". 8. Click "Confirm Order". 9. Enter name and email address, click "Enter card details". 10. Enter card details (Visa test card number 4111111111111111 suffices, card security code "123", expiry any future date). 11. Click "Pay and complete order". At this point, I expect a navigation or two to happen and then the tickets to be booked (or, using the test card number, a payment failure). Instead, however, we get logged to the console: Refused to display 'https://www.odeon.co.uk/bookingserver_ng_live6//booking/paymentHCCReturn.dhtml?bookingProcessId=763dfc57f501c9d639f0b35cc43d3172571753f2&accessible=1&useGETjsessionid=1&dts_reference=3100108257386587' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'. As far as I can tell, this is trying to navigate the externalUrlIframe iframe, and note that externalUrlIframe.parent.origin == "https://www.odeon.co.uk" hence my belief that this X-Frame-Options failure is bogus.
Attachments
Work-in-progress patch (8.85 KB, patch)
2018-06-25 17:12 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews206 for win-future (12.79 MB, application/zip)
2018-06-26 01:32 PDT, EWS Watchlist 		no flags
Details
Patch and layout test (12.58 KB, patch)
2018-06-26 13:30 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-05-31 11:21:44 PDT
<rdar://problem/40692595>
Daniel Bates
Comment 2 2018-06-25 16:57:05 PDT
When you click the button Pay and complete order the site POSTs a form to <https://hps.datacash.com/hps/?> from a child iframe whose URL is of the form: <https://hps.datacash.com/hps/?HPS_SessionID=7f72d137-0dae-4ec4-b6a6-81509c1915d>. And the URL <https://hps.datacash.com/hps/?> ultimately redirects to a URL of the form: <https://www.odeon.co.uk/bookingserver_ng_live6//booking/paymentHCCReturn.dhtml?bookingProcessId=0eac9e9e5a02305931ab47b2bb78a5685cea0373&accessible=1&useGETjsessionid=1&dts_reference=3000108365129513>. The destination page on www.odeon.co.uk includes "X-Frame-Options: SAMEORIGIN" in its HTTP response.
Daniel Bates
Comment 3 2018-06-25 17:10:22 PDT
Currently as a performance optimization we compare the request URL (associated with response that includes the X-Frame-Options header) against the source origin of the document that initiated the request when applying the X-Frame-Options policy at <https://trac.webkit.org/browser/trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp?rev=233157#L377>. This is incorrect. We need to compare against the origin of the document in the top-most frame. Additionally, NetworkResourceLoadParameters::frameAncestorOrigins is computed incorrectly. In particular, it should not include the security origin of the frame associated with the navigation request we are applying the X-Frame-Options policy to because this origin represents the origin of the document that initiated the navigation as we have not navigated the frame, yet.
Daniel Bates
Comment 4 2018-06-25 17:12:28 PDT
Created attachment 343562 [details] Work-in-progress patch
EWS Watchlist
Comment 5 2018-06-26 01:31:59 PDT
Comment on attachment 343562 [details] Work-in-progress patch Attachment 343562 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8343967 New failing tests: http/tests/security/video-poster-cross-origin-crash2.html
EWS Watchlist
Comment 6 2018-06-26 01:32:10 PDT
Created attachment 343595 [details] Archive of layout-test-results from ews206 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews206 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Daniel Bates
Comment 7 2018-06-26 13:30:54 PDT
Created attachment 343634 [details] Patch and layout test
Daniel Bates
Comment 8 2018-06-26 17:01:05 PDT
(In reply to Build Bot from comment #5) > Comment on attachment 343562 [details] > Work-in-progress patch > > Attachment 343562 [details] did not pass win-ews (win): > Output: https://webkit-queues.webkit.org/results/8343967 > > New failing tests: > http/tests/security/video-poster-cross-origin-crash2.html There is no crash log in the archive :( Looking at the markup of this test I am unclear how it relates to the changes made in the attached patch.
Daniel Bates
Comment 9 2018-06-26 18:23:17 PDT
Comment on attachment 343634 [details] Patch and layout test Clearing flags on attachment: 343634 Committed r233237: <https://trac.webkit.org/changeset/233237>
Daniel Bates
Comment 10 2018-06-26 18:23:19 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.