XFO: Bypass ancestor checks for 'Content-Disposition: attachment; ...'

XFO: Bypass ancestor checks for 'Content-Disposition: attachment; ...'

As a result of moving our 'X-Frame-Options' checks up to the browser
process (https://chromium.googlesource.com/chromium/src/+/26a6fc92ae361b4271f8f2197abe7eb063fc43ed)
we're now applying that header's protections to responses that we would
previously have treated as downloads. This patch brings us back to our
initial behavior (which aligns with other major browsers).

BUG=610284
R=creis@chromium.org,clamy@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation

[Mike West, 2016-05-11 10:25:41]

Description was changed from

==========
XFO: Bypass ancestor checks for 'Content-Disposition: attachment; ...'

As a result of moving our 'X-Frame-Options' checks up to the browser
process
(https://chromium.googlesource.com/chromium/src/+/26a6fc92ae361b4271f8f2197abe...)
we're now applying that header's protections to responses that we would
previously have treated as downloads. This patch brings us back to our
initial behavior (which aligns with other major browsers).

BUG=610284
R=creis@chromium.org,clamy@chromium.org
==========

to

==========
XFO: Bypass ancestor checks for 'Content-Disposition: attachment; ...'

As a result of moving our 'X-Frame-Options' checks up to the browser
process
(https://chromium.googlesource.com/chromium/src/+/26a6fc92ae361b4271f8f2197abe...)
we're now applying that header's protections to responses that we would
previously have treated as downloads. This patch brings us back to our
initial behavior (which aligns with other major browsers).

BUG=610284
R=creis@chromium.org,clamy@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

[Mike West, 2016-05-11 10:26:22]

Hi! WDYT about this approach to fixing https://crbug.com/610284?

[Charlie Reis, 2016-05-11 16:59:00]

creis@chromium.org changed reviewers:
+ mmenke@chromium.org, nasko@chromium.org

[Charlie Reis, 2016-05-11 16:59:00]

Given mmenke's concern and nasko's comment on the bug, it sounds like we might
want to set this aside, revert the original CL, and reland it when it addresses
this problem.  (I'm sad to see the original one reverted, but it does seem worth
getting this aspect right.)

[Charlie Reis, 2016-05-11 16:59:15]

Description was changed from

==========
XFO: Bypass ancestor checks for 'Content-Disposition: attachment; ...'

As a result of moving our 'X-Frame-Options' checks up to the browser
process
(https://chromium.googlesource.com/chromium/src/+/26a6fc92ae361b4271f8f2197abe...)
we're now applying that header's protections to responses that we would
previously have treated as downloads. This patch brings us back to our
initial behavior (which aligns with other major browsers).

BUG=610284
R=creis@chromium.org,clamy@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

to

==========
XFO: Bypass ancestor checks for 'Content-Disposition: attachment; ...'

As a result of moving our 'X-Frame-Options' checks up to the browser
process
(https://chromium.googlesource.com/chromium/src/+/26a6fc92ae361b4271f8f2197abe...)
we're now applying that header's protections to responses that we would
previously have treated as downloads. This patch brings us back to our
initial behavior (which aligns with other major browsers).

BUG=610284
R=creis@chromium.org,clamy@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========