Misleading console message for X-Frame-Options Allow-From mismatch (remove X-Frame-Options: allow-from)
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox70 | --- | fixed |
People
(Reporter: ericlaw1979, Assigned: jkt)
References
Details
(Keywords: dev-doc-complete, site-compat, Whiteboard: [domsecurity-backlog3])
Attachments
(1 file)
Comment 1•9 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
Updated•6 years ago
|
Assignee | ||
Comment 3•6 years ago
|
||
Sorry I just saw this now, as I was working on removing this in Bug 1566420 but this is has the exact details of the issue we discovered there.
Assignee | ||
Comment 5•6 years ago
|
||
The latest patch issues the following console warnings:
Load denied by X-Frame-Options: “deny” from “http://localhost:3000/”, site does not permit any framing. Attempted to load into “http://localhost:3000/”.
Invalid X-Frame-Options: “allow-from example.com” header from “http://localhost:3000/” loaded into “http://localhost:3000/”.
Load denied by X-Frame-Options: “sameorigin” from “http://localhost:3000/”, site does not permit cross-origin framing from “http://localhost:3000/”.
Dropping in unannounced, if I may suggest that Firefox issues a warning on the console and tells them to use CSP's frame-ancestors instead (the corresponding value is easy to generate out of the XFO header). Maybe that will teach some of them to rely on the well-specified alternative to XFO.
Assignee | ||
Comment 7•6 years ago
|
||
(In reply to stock from comment #6)
Dropping in unannounced, if I may suggest that Firefox issues a warning on the console and tells them to use CSP's frame-ancestors instead (the corresponding value is easy to generate out of the XFO header). Maybe that will teach some of them to rely on the well-specified alternative to XFO.
I'd rather we didn't maintain C++ code to link to this directly.
However the MDN doc already does suggest CSP, I'll make sure we have a learn more link linking to MDN instead.
Assignee | ||
Updated•6 years ago
|
Comment 9•6 years ago
|
||
bugherder |
Comment 10•6 years ago
|
||
Announced on Fx 70 for developers release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/70#HTTP
Updated reference page: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Updated compat data: https://github.com/mdn/browser-compat-data/pull/4869
Does this look good to you, jkt?
Updated•6 years ago
|
Comment 12•6 years ago
|
||
Posted site compatibility note: https://www.fxsitecompat.dev/en-CA/docs/2019/x-frame-options-allow-from-directive-has-been-removed/
Description
•