Closed
Bug 561916
Opened 14 years ago
Closed 10 years ago
Make X-Frame-Options error page friendlier
Categories
(Core :: DOM: Navigation, defect)
Core
DOM: Navigation
Tracking
()
RESOLVED
DUPLICATE
of bug 631853
People
(Reporter: jruderman, Assigned: bsterne)
References
(Blocks 1 open bug)
Details
The X-Frame-Options error page currently looks like this: https://bugzilla.mozilla.org/attachment.cgi?id=440778 We should redesign the error page so it is optimal for cases like Google Images and DiggBar, not attack cases. Non-attack cases may become common as sites adopt these anti-clickjacking measures. Designing for attack cases is futile because attackers can make something else appear. In particular, I don't think the page should use phrases like "Firefox prevented" or "security policy". These phrases risk making users think they're being attacked (ux-tone) or feel they're in conflict with their browser (ux-control). Clickjacking is easy to misunderstand and we don't want everyone asking how they can disable the feature (cf what happened after bug 162020). We might also want to consider what web site owners want Google Images visitors to see. Or they may be tempted to use a fragile framebusting script rather than X-Frame-Options no matter what we do. I haven't thought deeply about this aspect. My recommendations: * There should be an easy way to open the framed page (ux-error-recovery). It could be a button or link, and it could open in the same tab or a new tab. The context menu item is not easy enough to find (ux-discovery). * The in-page explanation, if any, should be something simple like "This page cannot be displayed inside another page". The detailed explanation should go in the Error Console (ux-jargon). * The framed page should not look like an error page visually (ux-affordance).
|
Assignee | |
Comment 1•14 years ago
|
||
This is a good idea, and I definitely want X-Frame-Options to make it into Firefox 4. FYI, WebKit only redirects to about:blank when X-F-O is violated: http://trac.webkit.org/changeset/42333
Assignee: nobody → bsterne
|
||
Updated•14 years ago
|
|
||
Comment 2•14 years ago
|
||
This sounds nice, but not blocker-nice. Please renominate if there's something I'm missing.
blocking2.0: ? → -
Whiteboard: [strings]
|
||
Comment 3•14 years ago
|
||
I don't think that [strings] bugs should be status2.0:wanted still. Care to retriage?
|
||
Updated•13 years ago
|
Assignee: bsterne → nobody
Component: Networking → Document Navigation
QA Contact: networking → docshell
|
|
||
Updated•13 years ago
|
Assignee: nobody → bsterne
Hey, Opera has implemented this page, how could we speed up to fix this?
|
|
||
Updated•12 years ago
|
Whiteboard: [strings]
|
||
Comment 5•11 years ago
|
||
I clicked on the bugzilla links on http://arewestableyet.com/ and I saw no error page at all. Only after looking in the webconsole I found out that x-frame-options disallowed the load.
|
||
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•