"Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning message even when no "x-frame-options" header present
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox94 | --- | fixed |
People
(Reporter: marius.e.nicolae, Assigned: n.goeggi)
Details
(Whiteboard: [domsecurity-active])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Steps to reproduce:
Loaded a specially crafted simple test webpage https://www2.liny.io/ which just displays a message and hosts an iframe to https://www1.liny.io/. The iframe has the 'content-security-policy' header set to "frame-ancestors 'self' https://www2.liny.io;" and no 'x-frame-options' header.
Actual results:
The console displays the warning: "Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.", falsely incurring that both headers were detected and the ‘x-frame-options’ being ignored due to‘frame-ancestors’ directive presence.
Expected results:
Detect that 'content-security-policy' header is present but not the 'x-frame-options' and not display the warning at all. Another option would be to display it as info or debug message but clearlly stating the ‘x-frame-options’ header will be ignored only if present. The current message suggest that both headers were detected which might inccur pointless investigations of hunting down the involved headers.
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
I think the behavior is dictated by the ShouldIgnoreFrameOptions
function from the FramingChecker.cpp:134 file, where can clearly be seen that only the frame-ancestors header presence is tested.
Comment 3•3 years ago
|
||
Niklas, I think we should move the ShouldIgnoreFrameOptions
check further down here:
https://searchfox.org/mozilla-central/rev/072710086ddfe25aa2962c8399fefb2304e8193b/dom/security/FramingChecker.cpp#190
Do you mind doing that?
@Mne - thanks for reporting!
Updated•3 years ago
|
Since https://www2.liny.io/ returns a 403 for me i build as separate example site: https://fluoridated-unruly-linseed.glitch.me/
With the attached patch applied the error message is no longer displayed.
Comment 6•3 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:ngogge, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 7•3 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #6)
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
Thanks Release mgmt bot
for spotting that ...
Comment 9•3 years ago
|
||
Backed out for Mochitest failures on test_ignore_xfo.html. CLOSED TREE
Backout link : https://hg.mozilla.org/integration/autoland/rev/7e4ca682d05634e495034dbd90ffe7d39e14e6b6
Push with failures : https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Crunnable&revision=f2a411bda53d91dd5092d434044973cf65c605dd&selectedTaskRun=PeRwTQksSqaMEisBWJaYfg.0
Link to failure log : https://treeherder.mozilla.org/logviewer?job_id=351490415&repo=autoland&lineNumber=2244
Comment 10•3 years ago
|
||
Comment 11•3 years ago
|
||
Backed out causing Mochitests failures. CLOSED TREE
Backout link : https://hg.mozilla.org/integration/autoland/rev/769b2a6bbfa294a47e8dc52ffb89c0eef047823b
Push with failures : https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=pending%2Crunning%2Csuccess%2Ctestfailed%2Cbusted%2Cexception%2Crunnable&searchStr=linux%2C18.04%2Cx64%2Cwebrender%2Cdebug%2Cmochitests%2Ctest-linux1804-64-qr%2Fdebug-mochitest-plain-e10s%2C8&revision=40094c67ec8c741f568aa150f06f9edee5aabb19&selectedTaskRun=S95IU9F5RGGd4ItNJcP9RA.0
Link to failure log : https://treeherder.mozilla.org/logviewer?job_id=351772893&repo=autoland&lineNumber=7401
Assignee | ||
Comment 12•3 years ago
|
||
Hi Cristina, these failures seem unrelated to my patch, could you double check if it was really the cause?
Comment 13•3 years ago
|
||
Hi Niklas,
I've checked again the backfill investigation done by my colleagues from previous shift ( on the 16th ), please see below the link : https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=success%2Ctestfailed%2Cbusted%2Cexception%2Crunnable&fromchange=7617df50b420a09e9fba0080b2a3d6bf49287566&searchStr=linux%2C18.04%2Cx64%2Cwebrender%2Cdebug%2Cmochitests%2Ctest-linux1804-64-qr%2Fdebug-mochitest-plain-e10s%2C8&tochange=769b2a6bbfa294a47e8dc52ffb89c0eef047823b
Comment 14•3 years ago
|
||
Comment 15•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Description
•