Bugzilla

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #3)
> Testing with Firefox release and Chrome they don't send x-frame-options headers. (FWIW, they also send a different CSP).
> 
> Chris, can you verify that my assumptions are correct? If not, please let me know, otherwise I think we mark this bug as INVALID.
>
> The only thing that beats me is, why would they do that in the first place? I mean, why would https://trends.google.com send an x-frame-options policy of same-origin?

Strange. That's not what I see. On my computer, the trends.google.com response send `x-frame-options: SAMEORIGIN` in Chrome 80, Edge 80, Firefox 74 Release, 75 Beta, 76 Nightly, and Firefox 76 spoofing Chrome 80's UA. So on my computer, Firefox Nightly appears to be treating `x-frame-options: SAMEORIGIN` differently. (I am testing with Fission disabled.)

Curiously, Edge (based on Chromium 80) behaves differently than Chrome 80. Edge blocked the embedded iframe, displaying a "trends.google.com refused to connect." error even though trends.google.com did return a proper response.

**Browser**|**x-frame-options**|**Behavior**
--|--|--
Chrome 80|SAMEORIGIN|iframe loaded successfully
Firefox 74 Release|SAMEORIGIN|iframe loaded successfully
Firefox 75 Beta|SAMEORIGIN|iframe loaded successfully
Firefox 72-76 Nightly|SAMEORIGIN|iframe blocked with "Blocked by X-Frame-Options Policy" error
Firefox 76 Nightly spoofing Chrome 80|SAMEORIGIN|iframe blocked with "Blocked by X-Frame-Options Policy" error
Edge 80|SAMEORIGIN|iframe blocked with "trends.google.com refused to connect." error

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #3)
> Testing with Firefox release and Chrome they don't send x-frame-options headers. (FWIW, they also send a different CSP).
> 
> Chris, can you verify that my assumptions are correct? If not, please let me know, otherwise I think we mark this bug as INVALID.
>
> The only thing that beats me is, why would they do that in the first place? I mean, why would https://trends.google.com send an x-frame-options policy of same-origin?

Strange. That's not what I see. On my computer, the trends.google.com response send `x-frame-options: SAMEORIGIN` in Chrome 80, Edge 80, Firefox 74 Release, 75 Beta, 76 Nightly, and Firefox 76 spoofing Chrome 80's UA. So on my computer, Firefox Nightly appears to be treating `x-frame-options: SAMEORIGIN` differently. (I am testing with Fission disabled.)

Curiously, Edge (based on Chromium 80) behaves differently than Chrome 80. Edge blocked the embedded iframe, displaying a "trends.google.com refused to connect." error even though trends.google.com did return a proper response.

**Browser**|**x-frame-options**|**Behavior**
--|--|--
Chrome 80|~SAMEORIGIN~Correction: no XFO header|iframe loaded successfully
Firefox 74 Release|SAMEORIGIN|iframe loaded successfully
Firefox 75 Beta|SAMEORIGIN|iframe loaded successfully
Firefox 72-76 Nightly|SAMEORIGIN|iframe blocked with "Blocked by X-Frame-Options Policy" error
Firefox 76 Nightly spoofing Chrome 80|SAMEORIGIN|iframe blocked with "Blocked by X-Frame-Options Policy" error
Edge 80|SAMEORIGIN|iframe blocked with "trends.google.com refused to connect." error

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #3)
> Testing with Firefox release and Chrome they don't send x-frame-options headers. (FWIW, they also send a different CSP).
> 
> Chris, can you verify that my assumptions are correct? If not, please let me know, otherwise I think we mark this bug as INVALID.
>
> The only thing that beats me is, why would they do that in the first place? I mean, why would https://trends.google.com send an x-frame-options policy of same-origin?

Strange. That's not what I see. On my computer, the trends.google.com response send `x-frame-options: SAMEORIGIN` in Chrome 80, Edge 80, Firefox 74 Release, 75 Beta, 76 Nightly, and Firefox 76 spoofing Chrome 80's UA. So on my computer, Firefox Nightly appears to be treating `x-frame-options: SAMEORIGIN` differently. (I am testing with Fission disabled.)

Curiously, Edge (based on Chromium 80) behaves differently than Chrome 80. Edge blocked the embedded iframe, displaying a "trends.google.com refused to connect." error even though trends.google.com did return a proper response.

**Browser**|**x-frame-options**|**Behavior**
--|--|--
Chrome 80|~SAMEORIGIN~ Correction: no XFO header|iframe loaded successfully
Firefox 74 Release|SAMEORIGIN|iframe loaded successfully
Firefox 75 Beta|SAMEORIGIN|iframe loaded successfully
Firefox 72-76 Nightly|SAMEORIGIN|iframe blocked with "Blocked by X-Frame-Options Policy" error
Firefox 76 Nightly spoofing Chrome 80|SAMEORIGIN|iframe blocked with "Blocked by X-Frame-Options Policy" error
Edge 80|SAMEORIGIN|iframe blocked with "trends.google.com refused to connect." error