Title: [144105] trunk
- Revision
- 144105
- Author
- mk...@chromium.org
- Date
- 2013-02-26 14:00:08 -0800 (Tue, 26 Feb 2013)
Log Message
X-Frame-Options should accept ALLOWALL as a valid value.
https://bugs.webkit.org/show_bug.cgi?id=110857
Reviewed by Adam Barth.
Source/WebCore:
DoubleClick, among others, serves ALLOWALL as a 'X-Frame-Options' value
with the intent of (shock!) allowing a resource to be framed by all
origins. Given its prevelance, and the fact that IE supports the header,
we shouldn't call it out as invalid.
This patch tweaks the warning logic to only throw the warning if the
header's value isn't 'ALLOWALL', 'DENY', or 'SAMEORIGIN'.
Test: http/tests/security/XFrameOptions/x-frame-options-allowall.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions):
LayoutTests:
* http/tests/security/XFrameOptions/resources/x-frame-options-allowall.cgi: Added.
* http/tests/security/XFrameOptions/x-frame-options-allowall-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-allowall.html: Added.
Exciting new test!
* http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt:
Exciting new baseline for an old test that was already using ALLOWALL!
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (144104 => 144105)
--- trunk/LayoutTests/ChangeLog 2013-02-26 21:58:36 UTC (rev 144104)
+++ trunk/LayoutTests/ChangeLog 2013-02-26 22:00:08 UTC (rev 144105)
@@ -1,3 +1,17 @@
+2013-02-26 Mike West <mk...@chromium.org>
+
+ X-Frame-Options should accept ALLOWALL as a valid value.
+ https://bugs.webkit.org/show_bug.cgi?id=110857
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/XFrameOptions/resources/x-frame-options-allowall.cgi: Added.
+ * http/tests/security/XFrameOptions/x-frame-options-allowall-expected.txt: Added.
+ * http/tests/security/XFrameOptions/x-frame-options-allowall.html: Added.
+ Exciting new test!
+ * http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt:
+ Exciting new baseline for an old test that was already using ALLOWALL!
+
2013-02-26 Tony Chang <t...@chromium.org>
CSS Flexbox: dynamically applied align-items doesn't affect item alignment
Added: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-allowall.cgi (0 => 144105)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-allowall.cgi (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-allowall.cgi 2013-02-26 22:00:08 UTC (rev 144105)
@@ -0,0 +1,8 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/html\n";
+print "Cache-Control: no-cache, no-store\n";
+print "X-FRAME-OPTIONS: ALLOWALL\n\n";
+
+print "<p>PASS: This text should show up.</p>\n";
Property changes on: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-allowall.cgi
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-allowall-expected.txt (0 => 144105)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-allowall-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-allowall-expected.txt 2013-02-26 22:00:08 UTC (rev 144105)
@@ -0,0 +1,11 @@
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-allowall.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-allowall.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-allowall.html, http method GET> redirectResponse (null)
+<unknown> - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-allowall.cgi - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-allowall.cgi, http status code 200>
+The frame below should load, and 'ALLOWALL' should be accepted as a valid header.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This text should show up.
Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-allowall.html (0 => 144105)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-allowall.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-allowall.html 2013-02-26 22:00:08 UTC (rev 144105)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpResourceLoadCallbacks();
+ }
+ </script>
+</head>
+<body>
+ <p>The frame below should load, and 'ALLOWALL' should be accepted as a valid header.</p>
+ <iframe style="width:500px; height:500px" src=""
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt (144104 => 144105)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt 2013-02-26 21:58:36 UTC (rev 144104)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt 2013-02-26 22:00:08 UTC (rev 144105)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: Invalid 'X-Frame-Options' header encountered when loading 'http://127.0.0.1:8000/security/XFrameOptions/resources/nph-cached-xfo.pl': 'allowall' is not a recognized directive. The header will be ignored.
ALERT: This must fire twice
-CONSOLE MESSAGE: Invalid 'X-Frame-Options' header encountered when loading 'http://127.0.0.1:8000/security/XFrameOptions/resources/nph-cached-xfo.pl': 'allowall' is not a recognized directive. The header will be ignored.
ALERT: This must fire twice
Check that an X-Frame-Options header added by a 304 response does not override one from the original request.
Modified: trunk/Source/WebCore/ChangeLog (144104 => 144105)
--- trunk/Source/WebCore/ChangeLog 2013-02-26 21:58:36 UTC (rev 144104)
+++ trunk/Source/WebCore/ChangeLog 2013-02-26 22:00:08 UTC (rev 144105)
@@ -1,3 +1,23 @@
+2013-02-26 Mike West <mk...@chromium.org>
+
+ X-Frame-Options should accept ALLOWALL as a valid value.
+ https://bugs.webkit.org/show_bug.cgi?id=110857
+
+ Reviewed by Adam Barth.
+
+ DoubleClick, among others, serves ALLOWALL as a 'X-Frame-Options' value
+ with the intent of (shock!) allowing a resource to be framed by all
+ origins. Given its prevelance, and the fact that IE supports the header,
+ we shouldn't call it out as invalid.
+
+ This patch tweaks the warning logic to only throw the warning if the
+ header's value isn't 'ALLOWALL', 'DENY', or 'SAMEORIGIN'.
+
+ Test: http/tests/security/XFrameOptions/x-frame-options-allowall.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions):
+
2013-02-26 Tony Chang <t...@chromium.org>
CSS Flexbox: dynamically applied align-items doesn't affect item alignment
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (144104 => 144105)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2013-02-26 21:58:36 UTC (rev 144104)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2013-02-26 22:00:08 UTC (rev 144105)
@@ -2937,7 +2937,7 @@
RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url);
if (!origin->isSameSchemeHostPort(topFrame->document()->securityOrigin()))
return true;
- } else {
+ } else if (!equalIgnoringCase(content, "allowall")) {
String message = "Invalid 'X-Frame-Options' header encountered when loading '" + url.string() + "': '" + content + "' is not a recognized directive. The header will be ignored.";
m_frame->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, message, requestIdentifier);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
