631862 - X-Frame-Options error report is very confusing

Status: RESOLVED FIXED

(Core :: Security, defect)

Description

[Giorgio]

User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b12pre) Gecko/20110205 Firefox/4.0b12pre
Build Identifier: 

fast bug demo with xulrunner:

main.xul:     <browser type="content" src="http://myserver.com/mypage.html" />

mypage.html:  <iframe src="http://youtube.com"></iframe>

Security Error: Content at http://www.youtube.com/ may not load data from http://myserver.com/mypage.html

i don't know why it happens, but happens only when i set manually .src of the html:iframe
if i load google.com and then i search for youtube, and click a link to youtube.com, this not happen

in plus, some youtube script that prevents framing, one time succeeded to change window.parent location
(that was containing a page on another server)

in firefox too:
Security Error: Content at http://googleads.g.doubleclick.net/ may not load data from...

and a lot more

instead of simply negate access to window.parent property as happens in firefox 3.6:

Error: Permission denied to <bla bla> to call Location.toString <bla bla>.

Reproducible: Always

Comment 1

[Boris Zbarsky [:bzbarsky]]

Yeah, this is odd.  Where is that subframe getting the url of the parent page?  That shouldn't happen...  If it's not getting it, then what's actually going on?

Comment 2

[Giorgio]

in firefox: just simply create a page on any web server containing an iframe that embeds youtube.com 

<iframe src="http://www.youtube.com/"></iframe>

Security Error: Content at http://www.youtube.com/ may not load data from http://yourserver.com/youtube.htm.

the iframe is not loaded and its .src is set to about:blank

another related message that i get sometimes when trying to load youtube in iframe (xulrunner latest trunk, not the one bundled with firefox)

No chrome package registered for chrome://navigator/content/navigator.xul

I don't have navigator in xulrunner, why it is called?

Comment 3

[Boris Zbarsky [:bzbarsky]]

Oh, wait.  This is just the X-Frame-Options code which does a security check using CheckSameOriginURI and tells it to report the error.  And that particular error string is sort of odd given the name of the function.  We should probably fix the string, after 2.0 ships.

Comment 4

[Giorgio]

I see, it does not load in 3.6 too... must be some script on youtube that redirects on about:blank when window.frameElement is set

why it happens with remote-xul browser too?

(a xul browser placed in a remote page... remote page is type="content" too)

<browser xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" type="content" src="http://www.youtube.it/" />

probably this is correct

thank you

Comment 5

[Markus Keller]

Another dup of bug 631853.

Comment 6

[Boris Zbarsky [:bzbarsky]]

No, not at all.  This bug is about the weird console warning that the X-Frame-Options code generates.  That bug is about the user-perceived behavior.

Comment 7

[Andrea Marchesini [:baku]]

Attachment: Bug 631862 - Improve X-Frame-Options error report, r?ckerschb

Comment 8

[Pulsebot]

Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/29a934591cfe
Improve X-Frame-Options error report, r=ckerschb

Comment 9

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/29a934591cfe