-
mkwst@chromium.org authored
https://bugs.webkit.org/show_bug.cgi?id=110857 Reviewed by Adam Barth. Source/WebCore: DoubleClick, among others, serves ALLOWALL as a 'X-Frame-Options' value with the intent of (shock!) allowing a resource to be framed by all origins. Given its prevelance, and the fact that IE supports the header, we shouldn't call it out as invalid. This patch tweaks the warning logic to only throw the warning if the header's value isn't 'ALLOWALL', 'DENY', or 'SAMEORIGIN'. Test: http/tests/security/XFrameOptions/x-frame-options-allowall.html * loader/FrameLoader.cpp: (WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions): LayoutTests: * http/tests/security/XFrameOptions/resources/x-frame-options-allowall.cgi: Added. * http/tests/security/XFrameOptions/x-frame-options-allowall-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-allowall.html: Added. Exciting new test! * http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt: Exciting new baseline for an old test that was already using ALLOWALL! git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144105 268f45cc-cd09-0410-ab3c-d52691b4dbfc
1038527e