Closed Bug 1025666 Opened 11 years ago Closed 11 years ago

Loads blocked by X-Frame-Options should result in an error page

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Version:
30 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 631853

People

(Reporter: andreas_b123, Unassigned)

Details

(Keywords: uiwanted)

Attachments

(1 file)

Testcase with an Iframe
461 bytes, text/html
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 (Beta/Release) Build ID: 20140608211828 Steps to reproduce: Embedded a Page in an iframe from another URL, where X-Frame is SAMEORIGIN. => The Page should not be displayed because of security Reasons Actual results: Firefox displayes only a white Frame, only in Firebug a message is printed. Expected results: Firefox should display a Page like "Server not found", e.g. "This page cannot be displyed in a Frame because of Security Reasons" Maybe some details Button: [Open this Frame in a new Tab]
Could you please provide a minimal testcase?
Component: Untriaged → DOM
Flags: needinfo?(andreas_b123)
Product: Firefox → Core
Testcase, in the First iframe is not displayed, because the Yahoo Server does not allow it. Firefox displays nothing, only in Firebug I can see the reason.
Flags: needinfo?(andreas_b123)
Download the example, now nothing is displayed because the Ifreame is a HTTP connection, and the Main page a HTTPS connection. May this can also be fixed, should be in the same code range. Also display an error, so the user sees also only a white frame...
This is basically asking for an error page for the case when X-Frame-Options denies a load. That seems perfectly sensible, and http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00#section-2.3.2 suggests it as well. Like most error pages, this probably needs UX input.
Status: UNCONFIRMED → NEW
Component: DOM → Document Navigation
Ever confirmed: true
Keywords: uiwanted
Summary: X-Frame: Nothing Displayed, only Development output → Loads blocked by X-Frame-Options should result in an error page
Dup of bug 631853 and bug 561916.
Markus, thanks!
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: