-
weinig@apple.com authored
2009-04-08 Sam Weinig <sam@webkit.org> Reviewed by Anders Carlsson. Fix for <rdar://problem/6226200> Implement Microsoft's X-FRAME-OPTIONS anti-framing defense Tests: http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html http/tests/security/XFrameOptions/x-frame-options-deny.html http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-allow.html http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html * dom/Document.cpp: (WebCore::Document::processHttpEquiv): Stop the current load and redirect to about:blank if an X-FRAME-OPTIONS <meta> tag http-equiq dictates we should. * loader/FrameLoader.cpp: (WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions): Add logic to parse the X-FRAME-OPTIONS parameter. * loader/FrameLoader.h: * loader/MainResourceLoader.cpp: (WebCore::MainResourceLoader::didReceiveResponse): Stop the current load if framed and a X-FRAME-OPTIONS header and its parameter dictate that we should. LayoutTests: 2009-04-08 Sam Weinig <sam@webkit.org> Reviewed by Anders Carlsson. Tests for <rdar://problem/6226200> Implement Microsoft's X-FRAME-OPTIONS anti-framing defense * http/tests/security/XFrameOptions: Added. * http/tests/security/XFrameOptions/resources: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-deny.cgi: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-parent-same-origin-deny.cgi: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html: Added. * http/tests/security/XFrameOptions/x-frame-options-deny.html: Added. * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-allow-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-allow.html: Added. * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@42333 268f45cc-cd09-0410-ab3c-d52691b4dbfc
5af461c2