Closed
Bug 1891467
Opened 10 months ago
Closed 10 months ago
XFO ignores whitespace everywhere (not only leading and trailing whitespace)
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
FIXED
127 Branch
Tracking | Status | |
---|---|---|
firefox127 | --- | fixed |
People
(Reporter: jannis, Assigned: longsonr)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Steps to reproduce:
- Frame a page with
XFO: DE NY
- Observe the results
- Example URL: http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=parsing&browser_id=1&label=XFO&first_id=3635&last_id=3639&scheme=http&t_resp_id=3636&t_element_relation=iframe_direct&t_resp_origin=https://headers.webappsec.eu
Actual results:
- Framing is denied, no message is send
- Chromium and Safari allow framing and send a message
Expected results:
According to https://html.spec.whatwg.org/multipage/document-lifecycle.html#the-x-frame-options-header getting, decoding, and splitting
only trailing and leading whitespace should be removed.
Instead Firefox removes Space, CR, HT, and FF everywhere within an XFO header. Thus XFO: S\fAMEORIGIN
and similar are interpreted as valid XFO values.
Assignee | ||
Comment 1•10 months ago
|
||
Updated•10 months ago
|
Assignee: nobody → longsonr
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Pushed by longsonr@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/ecc615f6fc77
Don't strip whitespace within X-Frame-Options values r=tschuster
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45744 for changes under testing/web-platform/tests
Comment 4•10 months ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
status-firefox127:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
Upstream PR merged by moz-wptsync-bot
You need to log in
before you can comment on or make changes to this bug.
Description
•