Source/WebCore/loader/FrameLoader.cpp · 1038527ea7df6e6a6aeddb0ebf2a6cad705bd055 · App_Technologies / webkit

X-Frame-Options should accept ALLOWALL as a valid value. · 1038527e

mkwst@chromium.org authored Feb 26, 2013

https://bugs.webkit.org/show_bug.cgi?id=110857

Reviewed by Adam Barth.

Source/WebCore:

DoubleClick, among others, serves ALLOWALL as a 'X-Frame-Options' value
with the intent of (shock!) allowing a resource to be framed by all
origins. Given its prevelance, and the fact that IE supports the header,
we shouldn't call it out as invalid.

This patch tweaks the warning logic to only throw the warning if the
header's value isn't 'ALLOWALL', 'DENY', or 'SAMEORIGIN'.

Test: http/tests/security/XFrameOptions/x-frame-options-allowall.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions):

LayoutTests:

* http/tests/security/XFrameOptions/resources/x-frame-options-allowall.cgi: Added.
* http/tests/security/XFrameOptions/x-frame-options-allowall-expected.txt: Added.
* http/tests/security/XFrameOptions/x-frame-options-allowall.html: Added.
    Exciting new test!
* http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt:
    Exciting new baseline for an old test that was already using ALLOWALL!


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144105 268f45cc-cd09-0410-ab3c-d52691b4dbfc

1038527e