Currently XFO only enforces same origin checks of the loading frame against the top-level document when the SAMEORIGIN value is set[1][2]. However, XFO does not check the entire ancestor chain before making a decision whether the load should be allowed or blocked.
In more detail, a load of: a.com -> b.com -> a.com would currently allow frame a.com to be loaded. We plan to change that behavior so that for X-Frame-Options the entire ancestors chain is consulted when the value SAMEORIGIN is specified. In turn, that change of behavior would block the iframe of a.com because the middle iframe has an origin of b.com. Please note that ALLOW-FROM or any other XFO values will not be affected by that change. As Chrome does not implement the ALLOW-FROM behavior, web sites shipping with an XFO header of ALLOW-FROM might not load in all circumstances. However, developers relying on that behavior could ship a CSP using frame-ancestors instead [3]. Chrome implemented the ancestor checks to SAMEORIGIN in Chrome 61[4] and has no intent to remove and no issues have been filed in the last ~4 months. Based on Chrome's telemetry the usage is ~0% making the impact very low risk. This change is covered by web platform tests in: https://github.com/w3c/web-platform-tests/tree/master/x-frame-options We track overall progress here: https://bugzilla.mozilla.org/show_bug.cgi?id=725490 Thanks Jonathan [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options [2] https://tools.ietf.org/html/rfc7034 [3] https://w3c.github.io/webappsec-csp/#directive-frame-ancestors [4] https://groups.google.com/a/chromium.org/forum/m/#!topic/blink-dev/fsDaKFqvU20 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
