Closed Bug 1594063 Opened 5 years ago Closed 5 years ago

Incorrect x-frame-options- error generated on valid parameter.

Categories

(Core :: DOM: Security, defect)

70 Branch
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: tim, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

Browse to website at https://agr.wa.gov/ and view console for errors in Firefox 70.0.1 (64-bit) on Windows 10 Professional.

Actual results:

Shows message in red: Invalid X-Frame-Options: “allow-from https://cms.agr.wa.gov/” header from “https://agr.wa.gov/services/licenses-permits-and-certificates?preview=true&key=22dca5c0-379c-4a10-afe6-6bf604e2944a” loaded into “https://cms.agr.wa.gov//Admin/CMSAdministration.aspx/default…eid=22642&culture=en-US#95a82f36-9c40-45f0-86f1-39aa44db9a77”.

Expected results:

This is not an error per RFC 7034 at https://tools.ietf.org/html/rfc7034#page-6 section 2.2.1

The issue is that the Firefox error message has a [Learn More] link that goes to the MDN (Mozilla Developer Network) page regarding the x-frame-options server header at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options?utm_source=mozilla&utm_medium=firefox-console-errors

On that MDN page under "Syntax" it says that there are three possible directives (which is correct per RFC) however only two are displayed. I believe one of the Firefox developers saw that and coded that anything other than those two will generate an error.

Note that "allow-from" is a valid option for this header. The documentation on MDN needs to be corrected and the code in Firefox needs to be fixed.

Hello, this issue no longer occurs in Nightly 72.0a1. The fix was delivered by fixing bug 1584998 (https://bugzilla.mozilla.org/show_bug.cgi?id=1584998).

Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Depends on: 1584998
Ever confirmed: true
Product: Firefox → Core

we implemented allow-from in bug 690168 (2012)
dealt with browser inconsistencies in bug 725490
we removed it again in Firefox 70, see bug 1301529 comment 10

Safari and chrome never implemented the allow-from form. MS did implement it, but Edge will soon switch to the Chromium engine so it will go away there too (bug 1566420 comment 3). Instead use Content-Security-Policy frame-ancestors feature which works more predictably.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX

Then the RFC isn't being followed? Will the MDN documentation page at least get updated to reflect the difference from RFC? Interestingly, while Chrome may have "never implemented it" it works fine in current Chrome builds without generating any errors. For various reasons we are unable to implement a proper CSP on our site yet and need the CMS to be able to talk to the website proper via different domains. I'm fine with console errors being generated as long as the action is still allowed.

You need to log in before you can comment on or make changes to this bug.