Open Bug 1596402 Opened 5 years ago Updated 2 years ago

Honor X-Frame-Options / frame-ancestors for all embed/object loads

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

People

(Reporter: ckerschb, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog1])

+++ This bug was initially created as a clone of Bug #1595762 +++

This is important for the security guarantees around Fetch metadata headers and for being able to simplify our loading setup around the embed and object elements.

Copying over the important message from Anne why this bug was filed:

The idea would be to also block if the response is for an image or plugin, e.g., data:text/html,<embed src="https://avatars3.githubusercontent.com/u/665379?s=88&v=4"> or data:text/html,<embed src="https://avatars3.githubusercontent.com/u/665379?s=88&v=4" type="image/jpeg">, but there are some compatibility risks with doing that so we'd need to roll that out carefully.

Blocks: 1695911
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.