Bug 197226 - X-Frame-Options header should be ignored when frame-ancestors CSP directive is present
Summary: X-Frame-Options header should be ignored when frame-ancestors CSP directive i...
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL: https://www.w3.org/TR/CSP3/#frame-anc...
Keywords: InRadar
Depends on:
Reported: 2019-04-23 21:04 PDT by Chris Dumez
Modified: 2019-04-24 08:43 PDT (History)
13 users (show)

See Also:

Patch (13.51 KB, patch)
2019-04-23 21:09 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff
Patch (13.52 KB, patch)
2019-04-23 21:12 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2019-04-23 21:04:52 PDT
X-Frame-Options header should be ignored when frame-ancestors CSP directive is present:
- https://www.w3.org/TR/CSP3/#frame-ancestors-and-frame-options

In order to allow backwards-compatible deployment, the frame-ancestors directive _obsoletes_ the X-Frame-Options header. If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored.

Gecko and Blink follow the specification, WebKit does not. As a result, page [1] is broken with WebbKit-only on Schwab.com. The page height is wrong and you cannot see all the ETFs as a result.

The console shows the following error:
[Error] Refused to display 'https://www.schwab.com/public/asset?cmsid=P-4229490&h=4589' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

However, the following CSP header is also sent by the server:
Content-Security-Policy: frame-ancestors 'self' http://*.schwab.com https://*.schwab.com https://content.schwab.com http://content.schwab.com https://client.schwab.com https://lms.schwab.com https://www.schwabcdn.com https://*.schwabinstitutional.com https://*.dev-schwab.acsitefactory.com https://*.test-schwab.acsitefactory.com https://*.train-schwab.acsitefactory.com https://*.schwab.acsitefactory.com https://*.schwab.co.uk https://*.schwab.com.hk https://*.schwab.com.sg https://*.schwab.com.au https://*.schwabcharitable.org https://*.schwabmoneywise.com https://*.schwabsavingsfundamentals.com https://*.schwabbankfunds.com https://*.schwabadvisorcenter.com https://*.schwabfunds.com https://*.schwabpt.com https://*.windhaveninvestments.com https://*.schwab.tech http://www.schwabintelligenttechnologies.com https://www.schwabintelligenttechnologies.com https://*.wallst.com http://*.wallst.com;

[1] https://www.schwab.com/public/schwab/investing/investment_help/investment_research/etf_research/etfs.html?&path=/Prospect/Research/etfs/overview/oneSourceETFs.asp
Comment 1 Radar WebKit Bug Importer 2019-04-23 21:05:25 PDT
Comment 2 Chris Dumez 2019-04-23 21:09:05 PDT
Created attachment 368110 [details]
Comment 3 Chris Dumez 2019-04-23 21:12:00 PDT
Created attachment 368111 [details]
Comment 4 Chris Dumez 2019-04-24 08:43:15 PDT
Comment on attachment 368111 [details]

Clearing flags on attachment: 368111

Committed r244589: <https://trac.webkit.org/changeset/244589>
Comment 5 Chris Dumez 2019-04-24 08:43:17 PDT
All reviewed patches have been landed.  Closing bug.