Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(193)

Issue 1326823003: CSP: 'frame-ancestors' should override 'x-frame-options'. (Closed)

Created:
5 years, 3 months ago by Mike West
Modified:
5 years, 3 months ago
Reviewers:
estark
CC:
blink-reviews, gavinp+loader_chromium.org, Nate Chapin, kinuko+watch, mkwst+watchlist-csp_chromium.org, tyoshino+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Target Ref:
refs/heads/master
Project:
blink
Visibility:
Public.

Description

CSP: 'frame-ancestors' should override 'x-frame-options'. As specified in [1], the 'frame-ancestors' CSP directive should take control of the access checks when loading a document. In particular, the 'x-frame-options' header should be ignored if a 'frame-ancestors' directive is present and enforced. [1]: https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options BUG=510423 R=estark@chromium.org Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=201959

Patch Set 1 #

Total comments: 2
Unified diffs Side-by-side diffs Delta from patch set Stats (+76 lines, -17 lines) Patch
A LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html View 1 chunk +31 lines, -0 lines 0 comments Download
A + LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-and-x-frame-options.pl View 1 chunk +3 lines, -2 lines 2 comments Download
M Source/core/frame/csp/CSPDirectiveList.h View 1 chunk +1 line, -0 lines 0 comments Download
M Source/core/frame/csp/ContentSecurityPolicy.h View 1 chunk +1 line, -0 lines 0 comments Download
M Source/core/frame/csp/ContentSecurityPolicy.cpp View 1 chunk +9 lines, -0 lines 0 comments Download
M Source/core/frame/csp/ContentSecurityPolicyTest.cpp View 1 chunk +12 lines, -0 lines 0 comments Download
M Source/core/loader/DocumentLoader.cpp View 2 chunks +19 lines, -15 lines 0 comments Download

Messages

Total messages: 6 (1 generated)
Mike West
Emily, you like reviewing patches, right? :) -mike
5 years, 3 months ago (2015-09-08 08:23:11 UTC) #1
estark
LGTM with one mild confusion inline https://codereview.chromium.org/1326823003/diff/1/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-and-x-frame-options.pl File LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-and-x-frame-options.pl (right): https://codereview.chromium.org/1326823003/diff/1/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-and-x-frame-options.pl#newcode9 LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-and-x-frame-options.pl:9: print "X-Frame-Options: " ...
5 years, 3 months ago (2015-09-08 18:15:47 UTC) #2
estark
https://codereview.chromium.org/1326823003/diff/1/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-and-x-frame-options.pl File LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-and-x-frame-options.pl (right): https://codereview.chromium.org/1326823003/diff/1/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-and-x-frame-options.pl#newcode9 LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-and-x-frame-options.pl:9: print "X-Frame-Options: " . $cgi->param("xfo") . "\n\n"; On 2015/09/08 ...
5 years, 3 months ago (2015-09-08 18:18:21 UTC) #3
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1326823003/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1326823003/1
5 years, 3 months ago (2015-09-09 08:12:43 UTC) #5
commit-bot: I haz the power
5 years, 3 months ago (2015-09-09 08:16:56 UTC) #6
Message was sent while issue was closed.
Committed patchset #1 (id:1) as
https://src.chromium.org/viewvc/blink?view=rev&revision=201959

Powered by Google App Engine
This is Rietveld 408576698