Closed Bug 561916 Opened 12 years ago Closed 7 years ago

Make X-Frame-Options error page friendlier

Categories

(Core :: DOM: Navigation, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 631853
Tracking Status
blocking2.0 --- -
status2.0 --- wanted

People

(Reporter: jruderman, Assigned: bsterne)

References

(Blocks 1 open bug)

Details

The X-Frame-Options error page currently looks like this:
https://bugzilla.mozilla.org/attachment.cgi?id=440778

We should redesign the error page so it is optimal for cases like Google Images and DiggBar, not attack cases.  Non-attack cases may become common as sites adopt these anti-clickjacking measures.  Designing for attack cases is futile because attackers can make something else appear.

In particular, I don't think the page should use phrases like "Firefox prevented" or "security policy".  These phrases risk making users think they're being attacked (ux-tone) or feel they're in conflict with their browser (ux-control).  Clickjacking is easy to misunderstand and we don't want everyone asking how they can disable the feature (cf what happened after bug 162020).

We might also want to consider what web site owners want Google Images visitors to see.  Or they may be tempted to use a fragile framebusting script rather than X-Frame-Options no matter what we do.  I haven't thought deeply about this aspect.

My recommendations:

* There should be an easy way to open the framed page (ux-error-recovery).  It could be a button or link, and it could open in the same tab or a new tab.  The context menu item is not easy enough to find (ux-discovery).

* The in-page explanation, if any, should be something simple like "This page cannot be displayed inside another page".  The detailed explanation should go in the Error Console (ux-jargon).

* The framed page should not look like an error page visually (ux-affordance).
This is a good idea, and I definitely want X-Frame-Options to make it into Firefox 4.  FYI, WebKit only redirects to about:blank when X-F-O is violated:
http://trac.webkit.org/changeset/42333
Assignee: nobody → bsterne
blocking2.0: --- → ?
status2.0: --- → wanted
No longer blocks: 475530
This sounds nice, but not blocker-nice. Please renominate if there's something I'm missing.
blocking2.0: ? → -
Whiteboard: [strings]
I don't think that [strings] bugs should be status2.0:wanted still. Care to retriage?
Assignee: bsterne → nobody
Component: Networking → Document Navigation
QA Contact: networking → docshell
Assignee: nobody → bsterne
Hey, Opera has implemented this page, how could we speed up to fix this?
Whiteboard: [strings]
I clicked on the bugzilla links on http://arewestableyet.com/ and I saw no error page at all. Only after looking in the webconsole I found out that x-frame-options disallowed the load.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 631853
You need to log in before you can comment on or make changes to this bug.