[webkit-changes] [200019] releases/WebKitGTK/webkit-2.12

Mon, 25 Apr 2016 08:40:30 -0700

Title: [200019] releases/WebKitGTK/webkit-2.12

Diff

Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (200018 => 200019)


--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog	2016-04-25 15:34:40 UTC (rev 200018)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog	2016-04-25 15:39:46 UTC (rev 200019)
@@ -1,3 +1,17 @@
+2016-04-18  Brent Fulgham  <[email protected]>
+
+        Remove support for X-Frame-Options in `<meta>`
+        https://bugs.webkit.org/show_bug.cgi?id=156625
+        <rdar://problem/25748714>
+
+        Rubberstamped by Darin Adler.
+
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt:
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt:
+
 2016-04-15  Myles C. Maxfield  <[email protected]>
 
         ASSERT when loading github.com

Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt (200018 => 200019)


--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt	2016-04-25 15:34:40 UTC (rev 200018)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-expected.txt	2016-04-25 15:39:46 UTC (rev 200019)
@@ -1,7 +1,7 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html, http method GET> redirectResponse (null)
 http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag.html - didFinishLoading
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, http status code 200>
-CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 3: The X-Frame-Option 'deny' supplied in a <meta> element was ignored. X-Frame-Options may only be provided by an HTTP header sent with the document.
 CONSOLE MESSAGE: line 15: PASS: Could read contentWindow.location.href
 There should be content in the iframe below

Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt (200018 => 200019)


--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt	2016-04-25 15:34:40 UTC (rev 200018)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body-expected.txt	2016-04-25 15:39:46 UTC (rev 200019)
@@ -1,7 +1,7 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
 http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-in-body.html - didFinishLoading
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, http status code 200>
-CONSOLE MESSAGE: line 6: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 6: The X-Frame-Option 'deny' supplied in a <meta> element was ignored. X-Frame-Options may only be provided by an HTTP header sent with the document.
 CONSOLE MESSAGE: line 15: PASS: Could read contentWindow.location.href
 There should be content in the iframe below

Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt (200018 => 200019)


--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt	2016-04-25 15:34:40 UTC (rev 200018)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow-expected.txt	2016-04-25 15:39:46 UTC (rev 200019)
@@ -1,7 +1,7 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
 http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-allow.html - didFinishLoading
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
-CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 3: The X-Frame-Option 'sameorigin' supplied in a <meta> element was ignored. X-Frame-Options may only be provided by an HTTP header sent with the document.
 ALERT: PASS: onload fired.
 There should be content in the iframe below

Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt (200018 => 200019)


--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt	2016-04-25 15:34:40 UTC (rev 200018)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt	2016-04-25 15:39:46 UTC (rev 200019)
@@ -1,7 +1,7 @@
 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
 http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny.html - didFinishLoading
 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didReceiveResponse <NSURLResponse http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, http status code 200>
-CONSOLE MESSAGE: line 3: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 3: The X-Frame-Option 'sameorigin' supplied in a <meta> element was ignored. X-Frame-Options may only be provided by an HTTP header sent with the document.
 CONSOLE MESSAGE: line 21: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 13: FAIL: Could not read contentWindow.location.href
 There should be content in the iframe below

Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt (200018 => 200019)


--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt	2016-04-25 15:34:40 UTC (rev 200018)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-ignored-expected.txt	2016-04-25 15:39:46 UTC (rev 200019)
@@ -1,2 +1,2 @@
-CONSOLE MESSAGE: line 4: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.
+CONSOLE MESSAGE: line 4: The X-Frame-Option 'deny' supplied in a <meta> element was ignored. X-Frame-Options may only be provided by an HTTP header sent with the document.

Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (200018 => 200019)


--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog	2016-04-25 15:34:40 UTC (rev 200018)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog	2016-04-25 15:39:46 UTC (rev 200019)
@@ -1,3 +1,14 @@
+2016-04-18  Brent Fulgham  <[email protected]>
+
+        Remove support for X-Frame-Options in `<meta>`
+        https://bugs.webkit.org/show_bug.cgi?id=156625
+        <rdar://problem/25748714>
+
+        Rubberstamped by Darin Adler.
+
+        * dom/Document.cpp:
+        (WebCore::Document::processHttpEquiv): Revise messaging based on Darin's comments.
+
 2016-04-18  Carlos Garcia Campos  <[email protected]>
 
         [GTK] Menu list button doesn't use the text color from the theme

Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.cpp (200018 => 200019)


--- releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.cpp	2016-04-25 15:34:40 UTC (rev 200018)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.cpp	2016-04-25 15:39:46 UTC (rev 200019)
@@ -3248,7 +3248,8 @@
             if (frameLoader.activeDocumentLoader() && frameLoader.activeDocumentLoader()->mainResourceLoader())
                 requestIdentifier = frameLoader.activeDocumentLoader()->mainResourceLoader()->identifier();
 
-            addConsoleMessage(MessageSource::Security, MessageLevel::Error, "X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.", requestIdentifier);
+            String message = "The X-Frame-Option '" + content + "' supplied in a <meta> element was ignored. X-Frame-Options may only be provided by an HTTP header sent with the document.";
+            addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, requestIdentifier);
         }
         break;
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to