From b424197f53c6ca913b3b388a128691d09e890799 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Tue, 18 Aug 2020 12:34:10 -0400
Subject: [PATCH] Define X-Frame-Options processing

Closes #1230.
---
 source | 316 ++++++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 279 insertions(+), 37 deletions(-)

diff --git a/source b/source
index 361e6a5bc76..8260cd0f3d4 100644
--- a/source
+++ b/source
@@ -2489,6 +2489,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     <p>The following terms are defined in <cite>Fetch</cite>: <ref spec=FETCH></p>
 
     <ul class="brief">
+     <li><dfn data-x="header-abnf" data-x-href="https://fetch.spec.whatwg.org/#abnf">ABNF</dfn></li>
      <li><dfn><code>about:blank</code></dfn></li>
      <li>An <dfn data-x-href="https://fetch.spec.whatwg.org/#http-scheme">HTTP(S) scheme</dfn></li>
      <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#local-scheme">local scheme</dfn></li>
@@ -2507,6 +2508,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#process-response">process response</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-get-structured-header">getting a structured field value</dfn></li>
      <li><dfn data-x="concept-header-list-set" data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-set">set</dfn></li>
+     <li><dfn data-x="concept-header-list-get-decode-split" data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-get-decode-split">get, decode, and split</dfn></li>
      <li><dfn data-x="concept-fetch-terminate" data-x-href="https://fetch.spec.whatwg.org/#concept-fetch-terminate">terminate</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check">cross-origin resource policy check</dfn></li>
      <li>the <dfn data-x-href="https://fetch.spec.whatwg.org/#requestcredentials"><code>RequestCredentials</code></dfn> enumeration</li>
@@ -3801,6 +3803,8 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
 
     <ul class="brief">
      <li><dfn data-x-href="https://w3c.github.io/webappsec-csp/#content-security-policy-object">Content Security Policy</dfn></li>
+     <li><dfn data-x="csp-disposition" data-x-href="https://w3c.github.io/webappsec-csp/#policy-disposition">disposition</dfn></li>
+     <li><dfn data-x="csp-directive-set" data-x-href="https://w3c.github.io/webappsec-csp/#policy-directive-set">directive set</dfn></li>
      <li><dfn data-x-href="https://w3c.github.io/webappsec-csp/#directives">Content Security Policy directive</dfn></li>
      <li><dfn data-x="concept-csp-list" data-x-href="https://w3c.github.io/webappsec-csp/#csp-list">CSP list</dfn></li>
      <li>The <dfn data-x-href="https://w3c.github.io/webappsec-csp/#grammardef-serialized-policy">Content Security Policy syntax</dfn></li>
@@ -83060,36 +83064,37 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    <li><p>Let <var>response</var> be <var>navigationParams</var>'s <span
    data-x="navigation-params-response">response</span>.</p></li>
 
+   <li><p>Let <var>browsingContext</var> be <var>navigationParams</var>'s <span
+   data-x="navigation-params-browsing-context">browsing context</span>.</p></li>
+
    <li>
     <p>If any of the following are true:</p>
 
     <ul>
-     <li><p><var>response</var> is a <span>network error</span>.</p></li>
-
-     <li><p class="XXX">TODO: Define <code data-x="">X-Frame-Options</code> processing here (tracked
-     as <a href="https://github.com/whatwg/html/issues/1230">issue #1230</a>).</p></li>
-
-     <li><p>The <span>Should navigation response to navigation request of type from source in target
-     be blocked by Content Security Policy?</span> algorithm returns "<code
-     data-x="">Blocked</code>" when executed upon <var>navigationParams</var>'s <span
-     data-x="navigation-params-request">request</span>, <var>response</var>,
-     <var>navigationType</var>, <var>source</var>, and <var>navigationParams</var>'s <span
-     data-x="navigation-params-browsing-context">browsing context</span>.
-     <ref spec="CSP"></p></li>
-
-     <li><p>The result of <span
-     data-x="check a navigation response's adherence to its embedder policy">checking a
-     navigation response's adherence to its embedder policy</span> with <var>response</var> and
-     <var>navigationParams</var>'s <span data-x="navigation-params-browsing-context">browsing
-     context</span> is false.</p></li>
+     <li><p><var>response</var> is a <span>network error</span>;</p></li>
+
+     <li><p>the result of <span>should navigation response to navigation request of type from source
+     in target be blocked by Content Security Policy?</span> given <var>navigationParams</var>'s
+     <span data-x="navigation-params-request">request</span>, <var>response</var>,
+     <var>navigationType</var>, <var>source</var>, and <var>browsingContext</var> is "<code
+     data-x="">Blocked</code>"; <ref spec="CSP"></p></li>
+
+     <li><p>the result of <span data-x="check a navigation response's adherence to
+     `X-Frame-Options`">checking a navigation response's adherence to
+     `<code>X-Frame-Options</code>`</span> given <var>response</var>, <var>browsingContext</var>,
+     and <var>navigationParams</var>'s <span data-x="navigation-params-origin">origin</span> is
+     false; or</p></li>
+
+     <li><p>the result of <span data-x="check a navigation response's adherence to its embedder
+     policy">checking a navigation response's adherence to its embedder policy</span> given
+     <var>response</var> and <var>browsingContext</var> is false.</p></li>
     </ul>
 
     <p>then:</p>
 
     <ol>
      <li><p><span data-x="navigate-ua-inline">Display the inline content with an appropriate error
-     shown to the user</span> given <var>navigationParams</var>'s <span
-     data-x="navigation-params-browsing-context">browsing context</span>.</p></li>
+     shown to the user</span> given <var>browsingContext</var>.</p></li>
 
      <li><p>Run the <span data-x="environment discarding steps">environment discarding steps</span>
      for <var>navigationParams</var>'s <span
@@ -83115,8 +83120,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
     <ol>
      <li><p>If the result of running the <span>allowed to download</span> given <var>source</var>
-     and <var>navigationParams</var>'s <span data-x="navigation-params-browsing-context">browsing
-     context</span> is true, then handle <var>response</var> <span>as a download</span>.</p></li>
+     and <var>browsingContext</var> is true, then handle <var>response</var> <span>as a
+     download</span>.</p></li>
 
      <li><p>Return.</p></li>
     </ol>
@@ -83171,33 +83176,29 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
     <p>An <dfn>explicitly supported XML MIME type</dfn> is an <span>XML MIME type</span> for which
     the user agent is configured to use an external application to render the content (either a
-    <span>plugin</span> rendering directly in <var>navigationParams</var>'s <span
-    data-x="navigation-params-browsing-context">browsing context</span>, or a separate application),
-    or one for which the user agent has dedicated processing rules (e.g., a web browser with a
-    built-in Atom feed viewer would be said to explicitly support the
+    <span>plugin</span> rendering directly in <var>browsingContext</var>, or a separate
+    application), or one for which the user agent has dedicated processing rules (e.g., a web
+    browser with a built-in Atom feed viewer would be said to explicitly support the
     <code>application/atom+xml</code> MIME type), or one for which the user agent has a dedicated
     handler.</p>
 
     <p>An <dfn>explicitly supported JSON MIME type</dfn> is a <span>JSON MIME type</span> for which
     the user agent is configured to use an external application to render the content (either a
-    <span>plugin</span> rendering directly in <var>navigationParams</var>'s <span
-    data-x="navigation-params-browsing-context">browsing context</span>, or a separate application),
-    or one for which the user agent has dedicated processing rules, or one for which the user agent
-    has a dedicated handler.</p>
+    <span>plugin</span> rendering directly in <var>browsingContext</var>, or a separate
+    application), or one for which the user agent has dedicated processing rules, or one for which
+    the user agent has a dedicated handler.</p>
    </li>
 
    <li id="navigate-non-Document"><p><i>Non-document content</i>: If, given <var>type</var>, the new
    resource is to be handled by displaying some sort of inline content, e.g., a native rendering of
    the content or an error message because the specified type is not supported, then <span
-   data-x="navigate-ua-inline">display the inline content</span> given
-   <var>navigationParams</var>'s <span data-x="navigation-params-browsing-context">browsing
-   context</span>, and then return.</p></li>
+   data-x="navigate-ua-inline">display the inline content</span> given <var>browsingContext</var>,
+   and then return.</p></li>
 
    <li><p>Otherwise, the document's <var>type</var> is such that the resource will not affect
-   <var>navigationParams</var>'s <span data-x="navigation-params-browsing-context">browsing
-   context</span>, e.g., because the resource is to be handed to an external application or because
-   it is an unknown type that will be processed <span>as a download</span>. <span data-x="hand-off
-   to external software">Process the resource appropriately</span>.</p>
+   <var>browsingContext</var>, e.g., because the resource is to be handed to an external application
+   or because it is an unknown type that will be processed <span>as a download</span>. <span
+   data-x="hand-off to external software">Process the resource appropriately</span>.</p>
   </ol>
 
   <p>To <dfn>process a navigate URL scheme</dfn>, given a <span>URL</span> <var>url</var> and
@@ -84860,6 +84861,221 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
   </div>
 
+  <h4>The `<code>X-Frame-Options</code>` header</h4>
+
+  <p>The `<code>X-Frame-Options</code>` HTTP response header is a legacy way of controlling whether
+  and how a <code>Document</code> may be loaded inside of a <span>child browsing context</span>. It
+  is obsoleted by the <code data-x="frame-ancestors directive">frame-ancestors</code> CSP directive,
+  which provides more granular control over the same situations. It was originally defined in
+  <cite>HTTP Header Field X-Frame-Options</cite>, but the definition<span w-nodev> and processing
+  model</span> here supersedes that document. <ref spec=CSP> <ref spec=RFC7034>
+
+  <p class="note">In particular, <cite>HTTP Header Field X-Frame-Options</cite> specified an `<code
+  data-x="">ALLOW-FROM</code>` variant of the header, but that is not to be implemented.</p>
+
+  <p class="note"><span w-nodev>Per the below processing model, if</span><span w-nohtml>If</span>
+  both a CSP <code data-x="frame-ancestors directive">frame-ancestors</code> directive and an
+  `<code>X-Frame-Options</code>` header are used in the same <span
+  data-x="concept-response">response</span>, then `<code>X-Frame-Options</code>` is ignored.</p>
+
+  <p>For web developers and conformance checkers, its value <span data-x="header-abnf">ABNF</span>
+  is:</p>
+
+  <pre><code data-x="" class="abnf">X-Frame-Options = "DENY" / "SAMEORIGIN"</code></pre>
+
+  <div w-nodev>
+
+  <p>To <dfn>check a navigation response's adherence to `<code>X-Frame-Options</code>`</dfn>, given
+  a <span data-x="concept-response">response</span> <var>response</var>, a <span>browsing
+  context</span> <var>browsingContext</var>, and an <span>origin</span>
+  <var>destinationOrigin</var>:</p>
+
+  <ol>
+   <li><p>If <var>browsingContext</var> is not a <span>child browsing context</span>, then return
+   true.</p></li>
+
+   <li>
+    <p><span data-x="list iterate">For each</span> <var>policy</var> of <var>response</var>'s <span
+    data-x="concept-response-csp-list">CSP list</span>:</p>
+
+    <ol>
+     <li><p>If <var>policy</var>'s <span data-x="csp-disposition">disposition</span> is not "<code
+     data-x="">enforce</code>", then <span>continue</span>.</p></li>
+
+     <li><p>If <var>policy</var>'s <span data-x="csp-directive-set">directive set</span> <span
+     data-x="list contains">contains</span> a <code data-x="frame-ancestors
+     directive">frame-ancestors</code> directive, then return true.</p></li>
+    </ol>
+   </li>
+
+   <li><p>Let <var>rawXFrameOptions</var> be the result of <span
+   data-x="concept-header-list-get-decode-split">getting, decoding, and splitting</span>
+   `<code>X-Frame-Options</code>` from <var>response</var>'s <span
+   data-x="concept-response-header-list">header list</span>.</p></li>
+
+   <li><p>Let <var>xFrameOptions</var> be a new <span>set</span>.</p></li>
+
+   <li><p><span data-x="list iterate">For each</span> <var>value</var> of
+   <var>rawXFrameOptions</var>, <span data-x="set append">append</span> <var>value</var>,
+   <span>converted to ASCII lowercase</span>, to <var>xFrameOptions</var>.</p></li>
+
+   <li>
+    <p>If <var>xFrameOptions</var>'s <span data-x="list size">size</span> is greater than 1, and
+    <var>xFrameOptions</var> <span data-x="list contains">contains</span> any of "<code
+    data-x="">deny</code>", "<code data-x="">allowall</code>", or "<code
+    data-x="">sameorigin</code>", then return false.</p>
+
+    <p class="note">The intention here is to block any attempts at applying
+    `<code>X-Frame-Options</code>` which were trying to do something valid, but appear confused.</p>
+
+    <p class="note">This is the only impact of the legacy `<code data-x="">ALLOWALL</code>` value
+    on the processing model.</p>
+   </li>
+
+   <li>
+    <p>If <var>xFrameOptions</var>'s <span data-x="list size">size</span> is greater than 1, then
+    return true.</p>
+
+    <p class="note">This means it contains multiple invalid values, which we treat the same way as
+    if the header was omitted entirely.</p>
+   </li>
+
+   <li><p>If <var>xFrameOptions</var>[0] is "<code data-x="">deny</code>", then return
+   false.</p></li>
+
+   <li>
+    <p>If <var>xFrameOptions</var>[0] is "<code data-x="">sameorigin</code>", then:</p>
+
+    <ol>
+     <li><p>Let <var>containerDocument</var> be <var>browsingContext</var>'s <span
+     data-x="bc-container-document">container document</span>.</p></li>
+
+     <li>
+      <p><span>While</span> <var>containerDocument</var> is not null:</p>
+
+      <ol>
+       <li><p>If <var>containerDocument</var>'s <span>origin</span> is not <span>same origin</span>
+       with <var>destinationOrigin</var>, then return false.</p></li>
+
+       <li><p>Let <var>containerBC</var> be <var>containerDocument</var>'s <span
+       data-x="concept-document-bc">browsing context</span>.</p>
+
+       <li><p>Set <var>containerDocument</var> to <var>containerBC</var>'s <span
+       data-x="bc-container-document">container document</span>, if <var>containerBC</var> is
+       non-null; otherwise, null.</p></li>
+      </ol>
+     </li>
+    </ol>
+   </li>
+
+   <li>
+    <p>Return true.</p>
+
+    <p class="note">If we've reached this point then we have a lone invalid value (which could
+    potentially be one the legacy `<code data-x="">ALLOWALL</code>` or `<code
+    data-x="">ALLOW-FROM</code>` forms). These are treated as if the header were omitted
+    entirely.</p>
+   </li>
+  </ol>
+
+  <hr>
+
+  </div>
+
+  <div class="example">
+   <p>The following table illustrates the processing of various values for the header, including
+   non-conformant ones:</p>
+
+   <table class="data">
+    <thead>
+     <tr>
+      <th>`<code>X-Frame-Options</code>`</th>
+      <th>Valid</th>
+      <th>Result</th>
+     </tr>
+    </thead>
+    <tbody>
+     <tr>
+      <td>`<code data-x="">DENY</code>`</td>
+      <td>✅</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">SAMEORIGIN</code>`</td>
+      <td>✅</td>
+      <td>same-origin embedding allowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">INVALID</code>`</td>
+      <td>❌</td>
+      <td>embedding allowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">ALLOWALL</code>`</td>
+      <td>❌</td>
+      <td>embedding allowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">ALLOW-FROM=https://example.com/</code>`</td>
+      <td>❌</td>
+      <td>embedding allowed (from anywhere)</td>
+     </tr>
+    </tbody>
+   </table>
+  </div>
+
+  <div class="example">
+   <p>The following table illustrates how various non-conformant cases involving multiple values are
+   processed:</p>
+
+   <table class="data">
+    <thead>
+     <tr>
+      <th>`<code>X-Frame-Options</code>`</th>
+      <th>Result</th>
+     </tr>
+    </thead>
+    <tbody>
+     <tr>
+      <td>`<code data-x="">SAMEORIGIN, SAMEORIGIN</code>`</td>
+      <td>same-origin embedding allowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">SAMEORIGIN, DENY</code>`</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">SAMEORIGIN,</code>`</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">SAMEORIGIN, ALLOWALL</code>`</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">SAMEORIGIN, INVALID</code>`</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">ALLOWALL, INVALID</code>`</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">ALLOWALL,</code>`</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">INVALID, INVALID</code>`</td>
+      <td>embedding allowed</td>
+     </tr>
+    </tbody>
+   </table>
+
+   <p>The same results are obtained whether the values are delivered in a single header whose value is comma-delimited,
+   or in multiple headers.</p>
+  </div>
+
+
 
   <h3 split-filename="offline" id="offline">Offline web applications</h3> <!--APPCACHE-->
 
@@ -117392,6 +117608,29 @@ interface <dfn>External</dfn> {
   </dl>
 
 
+  <h3>`<dfn><code>X-Frame-Options</code></dfn>`</h3>
+
+  <p>This section describes a header for registration in the Permanent Message Header Field
+  Registry. <ref spec=RFC3864></p>
+
+  <dl>
+   <dt>Header field name:</dt>
+   <dd>X-Frame-Options</dd>
+   <dt>Applicable protocol:</dt>
+   <dd>http</dd>
+   <dt>Status:</dt>
+   <dd>standard</dd>
+   <dt>Author/Change controller:</dt>
+   <dd>WHATWG</dd>
+   <dt>Specification document(s):</dt>
+   <dd>
+    This document is the relevant specification.
+   </dd>
+   <dt>Related information:</dt>
+   <dd>None.</dd>
+  </dl>
+
+
   <h3><dfn><code data-x="scheme-web">web+</code> scheme prefix</dfn></h3>
 
   <p>This section describes a convention for use with the IANA URI scheme registry. It does not
@@ -122340,6 +122579,9 @@ INSERT INTERFACES HERE
    <dt id="refsRFC6596">[RFC6596]</dt>
    <dd><cite><a href="https://tools.ietf.org/html/rfc6596">The Canonical Link Relation</a></cite>, M. Ohye, J. Kupke. IETF.</dd>
 
+   <dt id="refsRFC7034">[RFC7034]</dt>
+   <dd>(Non-normative) <cite><a href="https://tools.ietf.org/html/rfc7034">HTTP Header Field X-Frame-Options</a></cite>, D. Ross, T. Gondrom. IETF.</dd>
+
    <dt id="refsRFC7303">[RFC7303]</dt>
    <dd><cite><a href="https://tools.ietf.org/html/rfc7303">XML Media Types</a></cite>, H. Thompson, C. Lilley. IETF.</dd>