Closed Bug 1891467 Opened 10 months ago Closed 10 months ago

XFO ignores whitespace everywhere (not only leading and trailing whitespace)

Categories

(Core :: DOM: Security, defect)

Firefox 124
defect

Tracking

()

RESOLVED FIXED
127 Branch
Tracking Status
firefox127 --- fixed

People

(Reporter: jannis, Assigned: longsonr)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0

Steps to reproduce:

Actual results:

  • Framing is denied, no message is send
  • Chromium and Safari allow framing and send a message

Expected results:

According to https://html.spec.whatwg.org/multipage/document-lifecycle.html#the-x-frame-options-header getting, decoding, and splitting only trailing and leading whitespace should be removed.

Instead Firefox removes Space, CR, HT, and FF everywhere within an XFO header. Thus XFO: S\fAMEORIGIN and similar are interpreted as valid XFO values.

Assignee: nobody → longsonr
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Pushed by longsonr@gmail.com: https://hg.mozilla.org/integration/autoland/rev/ecc615f6fc77 Don't strip whitespace within X-Frame-Options values r=tschuster
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45744 for changes under testing/web-platform/tests
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: