RESOLVED FIXED 197226
X-Frame-Options header should be ignored when frame-ancestors CSP directive is present
https://bugs.webkit.org/show_bug.cgi?id=197226
Summary X-Frame-Options header should be ignored when frame-ancestors CSP directive i...
Chris Dumez
Reported 2019-04-23 21:04:52 PDT
X-Frame-Options header should be ignored when frame-ancestors CSP directive is present: - https://www.w3.org/TR/CSP3/#frame-ancestors-and-frame-options """ In order to allow backwards-compatible deployment, the frame-ancestors directive _obsoletes_ the X-Frame-Options header. If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored. """ Gecko and Blink follow the specification, WebKit does not. As a result, page [1] is broken with WebbKit-only on Schwab.com. The page height is wrong and you cannot see all the ETFs as a result. The console shows the following error: [Error] Refused to display 'https://www.schwab.com/public/asset?cmsid=P-4229490&h=4589' in a frame because it set 'X-Frame-Options' to 'sameorigin'. However, the following CSP header is also sent by the server: Content-Security-Policy: frame-ancestors 'self' http://*.schwab.com https://*.schwab.com https://content.schwab.com http://content.schwab.com https://client.schwab.com https://lms.schwab.com https://www.schwabcdn.com https://*.schwabinstitutional.com https://*.dev-schwab.acsitefactory.com https://*.test-schwab.acsitefactory.com https://*.train-schwab.acsitefactory.com https://*.schwab.acsitefactory.com https://*.schwab.co.uk https://*.schwab.com.hk https://*.schwab.com.sg https://*.schwab.com.au https://*.schwabcharitable.org https://*.schwabmoneywise.com https://*.schwabsavingsfundamentals.com https://*.schwabbankfunds.com https://*.schwabadvisorcenter.com https://*.schwabfunds.com https://*.schwabpt.com https://*.windhaveninvestments.com https://*.schwab.tech http://www.schwabintelligenttechnologies.com https://www.schwabintelligenttechnologies.com https://*.wallst.com http://*.wallst.com; [1] https://www.schwab.com/public/schwab/investing/investment_help/investment_research/etf_research/etfs.html?&path=/Prospect/Research/etfs/overview/oneSourceETFs.asp
Attachments
Patch (13.51 KB, patch)
2019-04-23 21:09 PDT, Chris Dumez
no flags
Patch (13.52 KB, patch)
2019-04-23 21:12 PDT, Chris Dumez
no flags
Radar WebKit Bug Importer
Comment 1 2019-04-23 21:05:25 PDT
Chris Dumez
Comment 2 2019-04-23 21:09:05 PDT
Chris Dumez
Comment 3 2019-04-23 21:12:00 PDT
Chris Dumez
Comment 4 2019-04-24 08:43:15 PDT
Comment on attachment 368111 [details] Patch Clearing flags on attachment: 368111 Committed r244589: <https://trac.webkit.org/changeset/244589>
Chris Dumez
Comment 5 2019-04-24 08:43:17 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.