Open Bug 944414 Opened 8 years ago Updated 6 years ago
xul <browser> element should not care for x-frame-options
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release) Build ID: 20131112160018 Steps to reproduce: Added this to a xul file: <browser type="content.primary" src="http://www.facebook.com" flex="1"> </browser> Actual results: Nothing was loaded, error shown "Load denied by X-Frame-Options: https://www.facebook.com/ does not permit framing." Expected results: I should see the website. A Browser should be able to go to every website, an <iframe> does not. This is similar to <webview> (chromium) and <x-ms-webview> (windows). When reading this: https://wiki.mozilla.org/WebAPI/EmbeddedBrowserAPI it is very clear that this is unexpected behavior.
(In reply to delrue.jonas from comment #1) > Added this to a xul file: > <browser type="content.primary" src="http://www.facebook.com" flex="1"> > </browser> Is content.primary a typo? If not, you want "content-primary", see the documentation below. > When reading this: > https://wiki.mozilla.org/WebAPI/EmbeddedBrowserAPI it is very clear that > this is unexpected behavior. But you're using a XUL <browser>, which is documented on https://developer.mozilla.org/en-US/docs/XUL/browser#a-browser.type .
It is indeed a typo but doesn't influence the result. Retested it with content-primary and the result is the same. I know I'm using a XUL browser but the link I posted mentions the XUL browser as an example for this functionality. Even the example on your link (<browser type="content" src="http://www.mozilla.org" flex="1"/>) doesn't work because of X-Frame-Options.
Summary: <browser> element should not care for x-frame-options → xul <browser> element should not care for x-frame-options
Component: Untriaged → DOM: Security
Product: Firefox → Core
Gijs, should we reinvestigate what's happening here or can we close this bug?
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4) > Gijs, should we reinvestigate what's happening here or can we close this bug? I have no idea about the implementation of X-Frame-Options, and/or if the xul file from comment #0 would have been privileged or not - it's clear that you can load facebook in a browser content view, so I don't know why it wouldn't work, without more details. Who knows about X-Frame-Options?
Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(mozilla)
Steve, I know Sid used to work on x-frame-options. Do you know if someone is still doing any active work on this, and if so, who is it?
Flags: needinfo?(mozilla) → needinfo?(sworkman)
I'm not aware of any active work on x-frame-options, Chris, sorry. Might need to do a bit of bug archeology here.
You need to log in before you can comment on or make changes to this bug.