If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Misleading console message for X-Frame-Options Allow-From mismatch

NEW
Unassigned

Status

()

Core
DOM: Security
P3
normal
a year ago
a year ago

People

(Reporter: Eric Lawrence (@ericlaw), Unassigned)

Tracking

51 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog3])

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36

Steps to reproduce:

Visit http://www.enhanceie.com/test/ClickJack/default.asp with console open.


Actual results:

As expected, observe that the frame does not load under "A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only (Blocked because the specified Allow-From origin does not match outermost page)" because the X-FRAME-OPTIONS directive only allows a different host to frame the target.

  GET http://www.enhanceie.com/test/ClickJack/vicAllowFromOther.asp HTTP/1.1
  Host: www.enhanceie.com

  HTTP/1.1 200 OK
  X-Frame-Options: ALLOW-FROM http://www.DebugTheWeb.com/

Problem: Look in console log. See text: "Load denied by X-Frame-Options: http://www.debugtheweb.com/ does not permit framing by http://www.enhanceie.com/test/ClickJack/default.asp."

This is misleading, because the site forbidding framing isn't the one listed.


Expected results:

The problem is that "www.debugtheweb.com" isn't the page forbidding framing, it's the value of the ALLOW-FROM value.

The message should be something like:
"Load denied by X-Frame-Options: http://www.enhanceie.com/test/ClickJack/vicAllowFromOther.asp does not does not permit framing by http://www.enhanceie.com. Only framing by http://www.debugtheweb.com/ is permitted."

Alternatively, to simplify the fix, the message could be made "Load denied by X-Frame-Options: ALLOW-FROM: http://www.debugtheweb.com/ does not does not permit framing by http://www.enhanceie.com."

Relevant source: https://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDSURIContentListener.cpp#397
(In reply to Eric from comment #0)

Eric, thanks for reporting.

> The message should be something like:
> "Load denied by X-Frame-Options:
> http://www.enhanceie.com/test/ClickJack/vicAllowFromOther.asp does not does
> not permit framing by http://www.enhanceie.com. Only framing by
> http://www.debugtheweb.com/ is permitted."

I can reproduce the problem and you are absolutely right, the problem occurs somewhere within ReportXFOViolation() [1]. Whenever someone is going to fix that bug, please also replace the harcoded | NS_LITERAL_STRING("Load denied by X-Frame-Options: "); | with something more local friendly.

Putting in the backlog for now.

[1] https://hg.mozilla.org/mozilla-central/annotate/7c576fe3279d87543f0a03b844eba7bc215e17f1/docshell/base/nsDSURIContentListener.cpp#l463
Priority: -- → P3
Whiteboard: [domsecurity-backlog3]
You need to log in before you can comment on or make changes to this bug.