Open
Bug 1596402
Opened 5 years ago
Updated 2 months ago
Honor X-Frame-Options / frame-ancestors for all embed/object loads
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: ckerschb, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog1])
+++ This bug was initially created as a clone of Bug #1595762 +++
This is important for the security guarantees around Fetch metadata headers and for being able to simplify our loading setup around the embed
and object
elements.
Reporter | ||
Comment 1•5 years ago
|
||
Copying over the important message from Anne why this bug was filed:
The idea would be to also block if the response is for an image or plugin, e.g., data:text/html,<embed src="https://avatars3.githubusercontent.com/u/665379?s=88&v=4"> or data:text/html,<embed src="https://avatars3.githubusercontent.com/u/665379?s=88&v=4" type="image/jpeg">, but there are some compatibility risks with doing that so we'd need to roll that out carefully.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•