Closed Bug 1659763 Opened 4 years ago Closed 11 months ago

Align X-Frame-Options processing with the spec/WebKit/Blink

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox116 --- fixed

People

(Reporter: d, Assigned: jewilde)

References

Details

(Keywords: sec-want, Whiteboard: [domsecurity-backlog1] [adv-main116-])

Attachments

(1 file)

Bug 1659763 - Fix failing x-frame-options web platform tests; r=freddyb
48 bytes, text/x-phabricator-request
Details | Review

In https://github.com/whatwg/html/pull/5737 we finally specified X-Frame-Options. https://github.com/web-platform-tests/wpt/pull/24618 greatly expanded the tests.

Browsers mostly agree on the behavior of the header. However, Gecko disagrees with the spec/WebKit/Blink in the case of conflicting header values, e.g. DENY,SAMEORIGIN. In particular the failures are in https://github.com/web-platform-tests/wpt/blob/master/x-frame-options/multiple.html .

The full spec processing model is at https://html.spec.whatwg.org/#the-x-frame-options-header .

Component: Networking → DOM: Security
Severity: -- → S3
Keywords: sec-want
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Assignee: nobody → jewilde
Status: NEW → ASSIGNED
Pushed by jewilde@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3fc04d8eb32b
Fix failing x-frame-options web platform tests; r=freddyb,necko-reviewers,valentin

https://hg.mozilla.org/mozilla-central/rev/3fc04d8eb32b

Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox116: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Backed out for causing crashes with signature [@ mozilla::dom::CanonicalBrowsingContext::Cast], e.g. bp-cae7174b-1e32-4748-95f4-f9f9f0230615.

Backout link: https://hg.mozilla.org/mozilla-central/rev/e8bfcd70e6ba5c6b9a6cc94e1a61b46d3f8949f8

Status: RESOLVED → REOPENED
Crash Signature: [@ mozilla::dom::CanonicalBrowsingContext::Cast]
status-firefox116: fixed → ---
Flags: needinfo?(jewilde)
Resolution: FIXED → ---
Target Milestone: 116 Branch → ---

The bug is linked to a topcrash signature, which matches the following criteria:

  • Top 10 desktop browser crashes on nightly
  • Top 10 AArch64 and ARM crashes on nightly

:jewilde, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(jewilde)
Keywords: topcrash

Can't be a topcrash if it's backed out...

Crash Signature: [@ mozilla::dom::CanonicalBrowsingContext::Cast]
Flags: needinfo?(jewilde)
Keywords: topcrash
Flags: needinfo?(jewilde)
Pushed by jewilde@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/522cce1d0166
Fix failing x-frame-options web platform tests; r=freddyb,necko-reviewers,valentin

https://hg.mozilla.org/mozilla-central/rev/522cce1d0166

Status: REOPENED → RESOLVED
Closed: 11 months ago11 months ago
status-firefox116: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch
Whiteboard: [domsecurity-backlog1] → [domsecurity-backlog1] [adv-main116-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: