Closed Bug 1301529 Opened 7 years ago Closed 4 years ago

Misleading console message for X-Frame-Options Allow-From mismatch (remove X-Frame-Options: allow-from)

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
51 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox70 --- fixed

People

(Reporter: ericlaw1979, Assigned: jkt)

References

Details

(Keywords: dev-doc-complete, site-compat, Whiteboard: [domsecurity-backlog3])

Attachments

(1 file)

Bug 1301529 - Remove X-Frame-Options allow-from.
47 bytes, text/x-phabricator-request
Details | Review 
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36

Steps to reproduce:

Visit http://www.enhanceie.com/test/ClickJack/default.asp with console open.


Actual results:

As expected, observe that the frame does not load under "A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only (Blocked because the specified Allow-From origin does not match outermost page)" because the X-FRAME-OPTIONS directive only allows a different host to frame the target.

  GET http://www.enhanceie.com/test/ClickJack/vicAllowFromOther.asp HTTP/1.1
  Host: www.enhanceie.com

  HTTP/1.1 200 OK
  X-Frame-Options: ALLOW-FROM http://www.DebugTheWeb.com/

Problem: Look in console log. See text: "Load denied by X-Frame-Options: http://www.debugtheweb.com/ does not permit framing by http://www.enhanceie.com/test/ClickJack/default.asp."

This is misleading, because the site forbidding framing isn't the one listed.


Expected results:

The problem is that "www.debugtheweb.com" isn't the page forbidding framing, it's the value of the ALLOW-FROM value.

The message should be something like:
"Load denied by X-Frame-Options: http://www.enhanceie.com/test/ClickJack/vicAllowFromOther.asp does not does not permit framing by http://www.enhanceie.com. Only framing by http://www.debugtheweb.com/ is permitted."

Alternatively, to simplify the fix, the message could be made "Load denied by X-Frame-Options: ALLOW-FROM: http://www.debugtheweb.com/ does not does not permit framing by http://www.enhanceie.com."

Relevant source: https://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDSURIContentListener.cpp#397
(In reply to Eric from comment #0)

Eric, thanks for reporting.

> The message should be something like:
> "Load denied by X-Frame-Options:
> http://www.enhanceie.com/test/ClickJack/vicAllowFromOther.asp does not does
> not permit framing by http://www.enhanceie.com. Only framing by
> http://www.debugtheweb.com/ is permitted."

I can reproduce the problem and you are absolutely right, the problem occurs somewhere within ReportXFOViolation() [1]. Whenever someone is going to fix that bug, please also replace the harcoded | NS_LITERAL_STRING("Load denied by X-Frame-Options: "); | with something more local friendly.

Putting in the backlog for now.

[1] https://hg.mozilla.org/mozilla-central/annotate/7c576fe3279d87543f0a03b844eba7bc215e17f1/docshell/base/nsDSURIContentListener.cpp#l463
Priority: -- → P3
Whiteboard: [domsecurity-backlog3]
Attachment #9079359 - Attachment description: Bug 1566420 - Remove X-Frame-Options allow-from. → Bug 1301529 - Remove X-Frame-Options allow-from.

Sorry I just saw this now, as I was working on removing this in Bug 1566420 but this is has the exact details of the issue we discovered there.

Assignee: nobody → jkt
Status: NEW → ASSIGNED
See Also: → 1567890

The latest patch issues the following console warnings:

Load denied by X-Frame-Options: “deny” from “http://localhost:3000/”, site does not permit any framing. Attempted to load into “http://localhost:3000/”.

Invalid X-Frame-Options: “allow-from example.com” header from “http://localhost:3000/” loaded into “http://localhost:3000/”.

Load denied by X-Frame-Options: “sameorigin” from “http://localhost:3000/”, site does not permit cross-origin framing from “http://localhost:3000/”.

Dropping in unannounced, if I may suggest that Firefox issues a warning on the console and tells them to use CSP's frame-ancestors instead (the corresponding value is easy to generate out of the XFO header). Maybe that will teach some of them to rely on the well-specified alternative to XFO.

(In reply to stock from comment #6)

Dropping in unannounced, if I may suggest that Firefox issues a warning on the console and tells them to use CSP's frame-ancestors instead (the corresponding value is easy to generate out of the XFO header). Maybe that will teach some of them to rely on the well-specified alternative to XFO.

I'd rather we didn't maintain C++ code to link to this directly.
However the MDN doc already does suggest CSP, I'll make sure we have a learn more link linking to MDN instead.

Keywords: dev-doc-needed
Pushed by jkingston@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b0e249d06e39
Remove X-Frame-Options allow-from. r=ckerschb

https://hg.mozilla.org/mozilla-central/rev/b0e249d06e39

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox70: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Summary: Misleading console message for X-Frame-Options Allow-From mismatch → Misleading console message for X-Frame-Options Allow-From mismatch (remove X-Frame-Options: allow-from)

Announced on Fx 70 for developers release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/70#HTTP
Updated reference page: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Updated compat data: https://github.com/mdn/browser-compat-data/pull/4869

Does this look good to you, jkt?

Flags: needinfo?(jkt)

LGTM thanks!

Flags: needinfo?(jkt)
You need to log in before you can comment on or make changes to this bug.