Misleading console message for X-Frame-Options Allow-From mismatch (remove X-Frame-Options: allow-from)
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox70 | --- | fixed |
People
(Reporter: ericlaw1979, Assigned: jkt)
References
Details
(Keywords: dev-doc-complete, site-compat, Whiteboard: [domsecurity-backlog3])
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36 Steps to reproduce: Visit http://www.enhanceie.com/test/ClickJack/default.asp with console open. Actual results: As expected, observe that the frame does not load under "A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only (Blocked because the specified Allow-From origin does not match outermost page)" because the X-FRAME-OPTIONS directive only allows a different host to frame the target. GET http://www.enhanceie.com/test/ClickJack/vicAllowFromOther.asp HTTP/1.1 Host: www.enhanceie.com HTTP/1.1 200 OK X-Frame-Options: ALLOW-FROM http://www.DebugTheWeb.com/ Problem: Look in console log. See text: "Load denied by X-Frame-Options: http://www.debugtheweb.com/ does not permit framing by http://www.enhanceie.com/test/ClickJack/default.asp." This is misleading, because the site forbidding framing isn't the one listed. Expected results: The problem is that "www.debugtheweb.com" isn't the page forbidding framing, it's the value of the ALLOW-FROM value. The message should be something like: "Load denied by X-Frame-Options: http://www.enhanceie.com/test/ClickJack/vicAllowFromOther.asp does not does not permit framing by http://www.enhanceie.com. Only framing by http://www.debugtheweb.com/ is permitted." Alternatively, to simplify the fix, the message could be made "Load denied by X-Frame-Options: ALLOW-FROM: http://www.debugtheweb.com/ does not does not permit framing by http://www.enhanceie.com." Relevant source: https://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDSURIContentListener.cpp#397
Comment 1•7 years ago
|
||
(In reply to Eric from comment #0) Eric, thanks for reporting. > The message should be something like: > "Load denied by X-Frame-Options: > http://www.enhanceie.com/test/ClickJack/vicAllowFromOther.asp does not does > not permit framing by http://www.enhanceie.com. Only framing by > http://www.debugtheweb.com/ is permitted." I can reproduce the problem and you are absolutely right, the problem occurs somewhere within ReportXFOViolation() [1]. Whenever someone is going to fix that bug, please also replace the harcoded | NS_LITERAL_STRING("Load denied by X-Frame-Options: "); | with something more local friendly. Putting in the backlog for now. [1] https://hg.mozilla.org/mozilla-central/annotate/7c576fe3279d87543f0a03b844eba7bc215e17f1/docshell/base/nsDSURIContentListener.cpp#l463
Assignee | ||
Comment 2•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Sorry I just saw this now, as I was working on removing this in Bug 1566420 but this is has the exact details of the issue we discovered there.
Assignee | ||
Comment 5•4 years ago
|
||
The latest patch issues the following console warnings:
Load denied by X-Frame-Options: “deny” from “http://localhost:3000/”, site does not permit any framing. Attempted to load into “http://localhost:3000/”.
Invalid X-Frame-Options: “allow-from example.com” header from “http://localhost:3000/” loaded into “http://localhost:3000/”.
Load denied by X-Frame-Options: “sameorigin” from “http://localhost:3000/”, site does not permit cross-origin framing from “http://localhost:3000/”.
Dropping in unannounced, if I may suggest that Firefox issues a warning on the console and tells them to use CSP's frame-ancestors instead (the corresponding value is easy to generate out of the XFO header). Maybe that will teach some of them to rely on the well-specified alternative to XFO.
Assignee | ||
Comment 7•4 years ago
|
||
(In reply to stock from comment #6)
Dropping in unannounced, if I may suggest that Firefox issues a warning on the console and tells them to use CSP's frame-ancestors instead (the corresponding value is easy to generate out of the XFO header). Maybe that will teach some of them to rely on the well-specified alternative to XFO.
I'd rather we didn't maintain C++ code to link to this directly.
However the MDN doc already does suggest CSP, I'll make sure we have a learn more link linking to MDN instead.
Assignee | ||
Updated•4 years ago
|
Pushed by jkingston@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b0e249d06e39 Remove X-Frame-Options allow-from. r=ckerschb
Comment 9•4 years ago
|
||
bugherder |
Comment 10•4 years ago
|
||
Announced on Fx 70 for developers release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/70#HTTP
Updated reference page: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Updated compat data: https://github.com/mdn/browser-compat-data/pull/4869
Does this look good to you, jkt?
Updated•4 years ago
|
Comment 12•4 years ago
|
||
Posted site compatibility note: https://www.fxsitecompat.dev/en-CA/docs/2019/x-frame-options-allow-from-directive-has-been-removed/
Description
•