csp frame ancestor restrictions should not be enforced unless specified

RESOLVED FIXED

Status

()

Core
DOM: Core & HTML
P3
normal
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: geekboy, Assigned: geekboy)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

8 years ago
The frame-ancestors directive should not inherit from the "allow" directive in CSP as per the spec.  This way sites "opt in" to blocking sites from framing them.
(Assignee)

Comment 1

8 years ago
Created attachment 447590 [details] [diff] [review]
Proposed Fix

Attached is a patch including the fix and updated xpcshell tests for the new behavior.

Updated the spec (wiki/Security/CSP/Specification) to reflect the changes too.
Attachment #447590 - Flags: review?
(Assignee)

Updated

8 years ago
Attachment #447590 - Flags: review? → review?(dveditz)
Comment on attachment 447590 [details] [diff] [review]
Proposed Fix

r=dveditz, looks good.
Attachment #447590 - Flags: review?(dveditz) → review+
http://hg.mozilla.org/mozilla-central/rev/5eca1ddd02d6
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.