Closed Bug 555068 Opened 14 years ago Closed 14 years ago

csp frame ancestor restrictions should not be enforced unless specified

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: geekboy, Assigned: geekboy)

Details

Attachments

(1 file)

Proposed Fix 14 years ago Sid Stamm [:geekboy or :sstamm] 4.32 KB, patch	dveditz : review+	Details \| Diff \| Splinter Review

Sid Stamm [:geekboy or :sstamm]

Assignee

Description

•

14 years ago

The frame-ancestors directive should not inherit from the "allow" directive in CSP as per the spec.  This way sites "opt in" to blocking sites from framing them.

Sid Stamm [:geekboy or :sstamm]

Assignee

Comment 1

•

14 years ago

Attached patch Proposed Fix — Details — Splinter Review

Attached is a patch including the fix and updated xpcshell tests for the new behavior.

Updated the spec (wiki/Security/CSP/Specification) to reflect the changes too.

Attachment #447590 - Flags: review?

Sid Stamm [:geekboy or :sstamm]

Assignee

Updated

•

14 years ago

Attachment #447590 - Flags: review? → review?(dveditz)

Daniel Veditz [:dveditz]

Comment 2

•

14 years ago

Comment on attachment 447590 [details] [diff] [review]
Proposed Fix

r=dveditz, looks good.

Attachment #447590 - Flags: review?(dveditz) → review+

Brandon Sterne (:bsterne)

Comment 3

•

14 years ago

http://hg.mozilla.org/mozilla-central/rev/5eca1ddd02d6

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

csp frame ancestor restrictions should not be enforced unless specified

Categories

(Core :: DOM: Core & HTML, defect, P3)

Tracking

()

People

(Reporter: geekboy, Assigned: geekboy)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Comment 3

Attachment

General

Description

File Name

Content Type