Diff
Modified: trunk/LayoutTests/ChangeLog (199604 => 199605)
--- trunk/LayoutTests/ChangeLog 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/ChangeLog 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,3 +1,39 @@
+2016-04-15 Brent Fulgham <[email protected]>
+
+ Remove support for X-Frame-Options in `<meta>`
+ https://bugs.webkit.org/show_bug.cgi?id=156625
+ <rdar://problem/25748714>
+
+ Reviewed by Darin Adler.
+
+ Revise tests to match our desired behavior based on RFC 7034 (Section 4).
+
+ * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html:
+ * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html:
+ * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html: Removed.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt: Added.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt: Added.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt: Added.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt: Added.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html.
+ * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html: Copied from LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html.
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt: Removed.
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt: Added.
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html: Copied from LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html.
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html: Removed.
+ * inspector/console/x-frame-options-message-expected.txt: Rebaselined.
+ * platform/win/TestExpectations:
+
2016-04-15 Jiewen Tan <[email protected]>
Mark inspector/formatting/formatting-_javascript_.html as flaky on mac
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -2,8 +2,8 @@
<head>
</head>
<body>
- <p>FAIL: This should show up and disappear immediately.</p>
+ <p>PASS: This should be displayed.</p>
<meta http-equiv="x-frame-options" content="deny" />
- <p>FAIL: This should never show up.</p>
+ <p>PASS: This should also be displayed.</p>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -3,6 +3,6 @@
<meta http-equiv="x-frame-options" content="sameorigin" />
</head>
<body>
- <p>FAIL: This should not show up as the parent is not in the same origin.</p>
+ <p>PASS: This should show up even though the parent is not in the same origin because we should be ignoring the meta tag.</p>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -3,6 +3,6 @@
<meta http-equiv="x-frame-options" content="deny" />
</head>
<body>
- <p>FAIL: This should not show up.</p>
+ <p>PASS: This should be displayed.</p>
</body>
</html>
Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,19 +0,0 @@
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html - didFinishLoading
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, http status code 200>
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html">
-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html' in a frame because it set 'X-Frame-Options' to 'deny'.
-data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null)
-data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
-data:, - didFinishLoading
-CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
-There should be no content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-
Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,18 +0,0 @@
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html - didFinishLoading
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, http status code 200>
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html">
-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html' in a frame because it set 'X-Frame-Options' to 'deny'.
-data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
-data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
-CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
-There should be no content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-
Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,21 +0,0 @@
-<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.dumpResourceLoadCallbacks();
- testRunner.waitUntilDone();
- }
-
- function checkIfDone() {
- var url = ""
-
- if (!url)
- console.log("PASS: Could not read contentWindow.location.href");
- else
- console.log("FAIL: Could read contentWindow.location.href");
- testRunner.notifyDone();
- }
-</script>
-
-<p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="" _onload_="checkIfDone()"></iframe>
Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,12 +0,0 @@
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html - didFinishLoading
-http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
-ALERT: PASS: onload fired.
-There should be content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS: This should show up as the parent is in the same origin.
Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,10 +0,0 @@
-<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.dumpResourceLoadCallbacks();
- }
-</script>
-
-<p>There should be content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="" _onload_="alert('PASS: onload fired.');"></iframe>
Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,19 +0,0 @@
-http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
-http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html - didFinishLoading
-http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didReceiveResponse <NSURLResponse http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, http status code 200>
-http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html">
-CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
-data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
-data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
-data:, - didFinishLoading
-CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
-There should be no content in the iframe below
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-
Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,21 +0,0 @@
-<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.dumpResourceLoadCallbacks();
- testRunner.waitUntilDone();
- }
-
- function checkIfDone() {
- var url = ""
-
- if (!url)
- console.log("PASS: Could not read contentWindow.location.href");
- else
- console.log("FAIL: Could read contentWindow.location.href");
- testRunner.notifyDone();
- }
-</script>
-
-<p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="" _onload_="checkIfDone()"></iframe>
Deleted: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,21 +0,0 @@
-<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.dumpResourceLoadCallbacks();
- testRunner.waitUntilDone();
- }
-
- function checkIfDone() {
- var url = ""
-
- if (!url)
- console.log("PASS: Could not read contentWindow.location.href");
- else
- console.log("FAIL: Could read contentWindow.location.href");
- testRunner.notifyDone();
- }
-</script>
-
-<p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="" _onload_="checkIfDone()"></iframe>
Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt (0 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -0,0 +1,13 @@
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, http status code 200>
+CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 15: PASS: Could read contentWindow.location.href
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should be displayed.
Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt (0 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -0,0 +1,15 @@
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, http status code 200>
+CONSOLE MESSAGE: line 6: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 15: PASS: Could read contentWindow.location.href
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should be displayed.
+
+PASS: This should also be displayed.
Copied: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html (from rev 199570, trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html) (0 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -0,0 +1,21 @@
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpResourceLoadCallbacks();
+ testRunner.waitUntilDone();
+ }
+
+ function checkIfDone() {
+ var url = ""
+
+ if (!url)
+ console.log("FAIL: Could not read contentWindow.location.href");
+ else
+ console.log("PASS: Could read contentWindow.location.href");
+ testRunner.notifyDone();
+ }
+</script>
+
+<p>There should be content in the iframe below</p>
+<iframe style="width:500px; height:500px" src="" _onload_="checkIfDone()"></iframe>
Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt (0 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -0,0 +1,13 @@
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html - didFinishLoading
+http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
+CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+ALERT: PASS: onload fired.
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should show up as the parent is in the same origin.
Copied: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html (from rev 199570, trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html) (0 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -0,0 +1,10 @@
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpResourceLoadCallbacks();
+ }
+</script>
+
+<p>There should be content in the iframe below</p>
+<iframe style="width:500px; height:500px" src="" _onload_="alert('PASS: onload fired.');"></iframe>
Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt (0 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -0,0 +1,14 @@
+http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
+http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html - didFinishLoading
+http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didReceiveResponse <NSURLResponse http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, http status code 200>
+CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 13: FAIL: Could not read contentWindow.location.href
+There should be content in the iframe below
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: This should show up even though the parent is not in the same origin because we should be ignoring the meta tag.
Copied: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html (from rev 199570, trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html) (0 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -0,0 +1,21 @@
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpResourceLoadCallbacks();
+ testRunner.waitUntilDone();
+ }
+
+ function checkIfDone() {
+ var url = ""
+
+ if (!url)
+ console.log("FAIL: Could not read contentWindow.location.href");
+ else
+ console.log("PASS: Could read contentWindow.location.href");
+ testRunner.notifyDone();
+ }
+</script>
+
+<p>There should be content in the iframe below</p>
+<iframe style="width:500px; height:500px" src="" _onload_="checkIfDone()"></iframe>
Copied: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html (from rev 199570, trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html) (0 => 199605)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -0,0 +1,21 @@
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpResourceLoadCallbacks();
+ testRunner.waitUntilDone();
+ }
+
+ function checkIfDone() {
+ var url = ""
+
+ if (!url)
+ console.log("FAIL: Could not read contentWindow.location.href");
+ else
+ console.log("PASS: Could read contentWindow.location.href");
+ testRunner.notifyDone();
+ }
+</script>
+
+<p>There should be content in the iframe below</p>
+<iframe style="width:500px; height:500px" src="" _onload_="checkIfDone()"></iframe>
Deleted: trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,2 +0,0 @@
-CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22x-frame-options%22+content%3D%22deny%22%3E' in a frame because it set 'X-Frame-Options' to 'deny'.
-
Added: trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt (0 => 199605)
--- trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 4: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+
Copied: trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html (from rev 199570, trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html) (0 => 199605)
--- trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setXSSAuditorEnabled(true);
+ testRunner.waitUntilDone();
+}
+
+function done()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+</head>
+<body>
+<iframe _onload_="done()" src=""
+</iframe>
+</body>
+</html>
Deleted: trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html (199604 => 199605)
--- trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,22 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script>
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.setXSSAuditorEnabled(true);
- testRunner.waitUntilDone();
-}
-
-function done()
-{
- if (window.testRunner)
- testRunner.notifyDone();
-}
-</script>
-</head>
-<body>
-<iframe _onload_="done()" src=""
-</iframe>
-</body>
-</html>
Modified: trunk/LayoutTests/inspector/console/x-frame-options-message-expected.txt (199604 => 199605)
--- trunk/LayoutTests/inspector/console/x-frame-options-message-expected.txt 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/inspector/console/x-frame-options-message-expected.txt 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 41: Refused to display 'x-frame-options-message.html' in a frame because it set 'X-Frame-Options' to 'deny'.
+CONSOLE MESSAGE: line 41: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
== Running test suite: Console.XFrameOptionsMessages
Modified: trunk/LayoutTests/platform/win/TestExpectations (199604 => 199605)
--- trunk/LayoutTests/platform/win/TestExpectations 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/LayoutTests/platform/win/TestExpectations 2016-04-15 19:49:58 UTC (rev 199605)
@@ -2184,10 +2184,10 @@
webkit.org/b/140703 [ Debug ] http/tests/security/XFrameOptions/x-frame-options-cached.html [ Crash ]
webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny.html [ Failure ]
webkit.org/b/140703 [ Debug ] http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html [ Crash ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html [ Failure ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html [ Crash Failure ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html [ Crash Failure ]
-webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html [ Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html [ Crash Failure ]
+webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html [ Crash Failure ]
webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-invalid.html [ Failure ]
webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-multiple-headers-conflict.html [ Failure ]
webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-allow.html [ Failure ]
Modified: trunk/Source/WebCore/ChangeLog (199604 => 199605)
--- trunk/Source/WebCore/ChangeLog 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/Source/WebCore/ChangeLog 2016-04-15 19:49:58 UTC (rev 199605)
@@ -1,3 +1,23 @@
+2016-04-15 Brent Fulgham <[email protected]>
+
+ Remove support for X-Frame-Options in `<meta>`
+ https://bugs.webkit.org/show_bug.cgi?id=156625
+ <rdar://problem/25748714>
+
+ Reviewed by Darin Adler.
+
+ Follow RFC7034 (Section 4), which recommends that 'X-Frame-Options' be ignored when delivered as part of
+ a '<meta http-equiv="...">' tag. This brings us in line with Firefox, Edge, and Blink.
+
+ Tests: http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html
+ http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html
+ http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html
+ http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html
+ http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Log error message instead of blocking the load.
+
2016-04-15 Jer Noble <[email protected]>
Audio elements should be able to have a controls manager.
Modified: trunk/Source/WebCore/dom/Document.cpp (199604 => 199605)
--- trunk/Source/WebCore/dom/Document.cpp 2016-04-15 19:20:35 UTC (rev 199604)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-04-15 19:49:58 UTC (rev 199605)
@@ -3304,15 +3304,8 @@
unsigned long requestIdentifier = 0;
if (frameLoader.activeDocumentLoader() && frameLoader.activeDocumentLoader()->mainResourceLoader())
requestIdentifier = frameLoader.activeDocumentLoader()->mainResourceLoader()->identifier();
- if (frameLoader.shouldInterruptLoadForXFrameOptions(content, url(), requestIdentifier)) {
- String message = "Refused to display '" + url().stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
- frameLoader.stopAllLoaders();
- // Stopping the loader isn't enough, as we're already parsing the document; to honor the header's
- // intent, we must navigate away from the possibly partially-rendered document to a location that
- // doesn't inherit the parent's SecurityOrigin.
- frame->navigationScheduler().scheduleLocationChange(this, securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String());
- addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, requestIdentifier);
- }
+
+ addConsoleMessage(MessageSource::Security, MessageLevel::Error, "X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.", requestIdentifier);
}
break;
