Trying again is unlikely to make it work, so the button should not be there. I could go for a "Show only this frame" or "Open frame in new tab" button, though.
Good point, Try Again is not a useful feature there. :) CC'ing Johnath who might have an opinion.
Assignee: nobody → sstamm
Status: NEW → ASSIGNED
This applies to X-Frame-Options, bug 475530, as well.
Killing the Try Again button makes good sense, yeah. There's precedent, too: http://mxr.mozilla.org/mozilla-central/source/docshell/resources/content/netError.xhtml#187 As for doing more interesting things like breaking out of the frame, that will require more of the content/chrome event bubbling hijinx - not sure how I feel about it, but I think it might be worthwhile to break that off from killing Try Again, which feels unambiguously right?
I'm also not sure we need the button to take the user directly to the page. In most clickjacking attacks, users will never see the frame anyway. Plus we do already allow users to right-click in the frame and open it in its own tab or window, or open it directly if they need that feature.
I filed bug 561916 for the "open frame in new tab" button (plus a few other issues).
No tests for this patch (trivial fix). You can see the result of the patch in the content/base/test/test_CSP_frameancestors.html mochitest. Johnathan, just want to run this by your UI eyeballs before we commit the change. jst, I saw you were a peer on docshell, maybe you can give me a review on this tiny change?
Attachment #446768 - Flags: ui-review?(johnath) → ui-review+
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.