Skip to content

Commit

Permalink
Define X-Frame-Options processing
Browse files Browse the repository at this point in the history
Closes #1230.
  • Loading branch information
domenic committed Aug 18, 2020
1 parent f283972 commit 2dda722
Showing 1 changed file with 130 additions and 16 deletions.
146 changes: 130 additions & 16 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -2507,6 +2507,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
<li><dfn data-x-href="https://fetch.spec.whatwg.org/#process-response">process response</dfn></li>
<li><dfn data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-get-structured-header">getting a structured field value</dfn></li>
<li><dfn data-x="concept-header-list-set" data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-set">set</dfn></li>
<li><dfn data-x="concept-header-list-get-decode-split" data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-get-decode-split">get, decode, and split</dfn></li>
<li><dfn data-x="concept-fetch-terminate" data-x-href="https://fetch.spec.whatwg.org/#concept-fetch-terminate">terminate</dfn></li>
<li><dfn data-x-href="https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check">cross-origin resource policy check</dfn></li>
<li>the <dfn data-x-href="https://fetch.spec.whatwg.org/#requestcredentials"><code>RequestCredentials</code></dfn> enumeration</li>
Expand Down Expand Up @@ -3796,6 +3797,8 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute

<ul class="brief">
<li><dfn data-x-href="https://w3c.github.io/webappsec-csp/#content-security-policy-object">Content Security Policy</dfn></li>
<li><dfn data-x="csp-disposition" data-x-href="https://w3c.github.io/webappsec-csp/#policy-disposition">disposition</dfn></li>
<li><dfn data-x="csp-directive-set" data-x-href="https://w3c.github.io/webappsec-csp/#policy-directive-set">directive set</dfn></li>
<li><dfn data-x-href="https://w3c.github.io/webappsec-csp/#directives">Content Security Policy directive</dfn></li>
<li><dfn data-x="concept-csp-list" data-x-href="https://w3c.github.io/webappsec-csp/#csp-list">CSP list</dfn></li>
<li>The <dfn data-x-href="https://w3c.github.io/webappsec-csp/#grammardef-serialized-policy">Content Security Policy syntax</dfn></li>
Expand Down Expand Up @@ -83035,24 +83038,26 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
<p>If any of the following are true:</p>

<ul>
<li><p><var>response</var> is a <span>network error</span>.</p></li>
<li><p><var>response</var> is a <span>network error</span>;</p></li>

<li><p class="XXX">TODO: Define <code data-x="">X-Frame-Options</code> processing here (tracked
as <a href="https://github.com/whatwg/html/issues/1230">issue #1230</a>).</p></li>

<li><p>The <span>Should navigation response to navigation request of type from source in target
be blocked by Content Security Policy?</span> algorithm returns "<code
data-x="">Blocked</code>" when executed upon <var>navigationParams</var>'s <span
data-x="navigation-params-request">request</span>, <var>response</var>,
<li><p>the result of <span>should navigation response to navigation request of type from source
in target be blocked by Content Security Policy?</span> given <var>navigationParams</var>'s
<span data-x="navigation-params-request">request</span>, <var>response</var>,
<var>navigationType</var>, <var>source</var>, and <var>navigationParams</var>'s <span
data-x="navigation-params-browsing-context">browsing context</span>.
<ref spec="CSP"></p></li>

<li><p>The result of <span
data-x="check a navigation response's adherence to its embedder policy">checking a
navigation response's adherence to its embedder policy</span> with <var>response</var> and
<var>navigationParams</var>'s <span data-x="navigation-params-browsing-context">browsing
context</span> is false.</p></li>
data-x="navigation-params-browsing-context">browsing context</span> is "<code
data-x="">Blocked</code>"; <ref spec="CSP"></p></li>

<li><p>the result of <span data-x="check a navigation response's adherence to
`X-Frame-Options`">checking a navigation response's adherence to
`<code>X-Frame-Options</code>`</span> given <var>response</var>, <var>navigationParams</var>'s
<span data-x="navigation-params-browsing-context">browsing context</span>, and
<var>navigationParams</var>'s <span data-x="navigation-params-origin">origin</span> is
false; or</p></li>

<li><p>the result of <span data-x="check a navigation response's adherence to its embedder
policy">checking a navigation response's adherence to its embedder policy</span> given
<var>response</var> and <var>navigationParams</var>'s <span
data-x="navigation-params-browsing-context">browsing context</span> is false.</p></li>
</ul>

<p>then:</p>
Expand Down Expand Up @@ -84831,6 +84836,89 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {

</div>

<h4>The `<code>X-Frame-Options</code>` header</h4>

<p>The `<code>X-Frame-Options</code>` HTTP response header is a legacy way of controlling whether
and how a <code>Document</code> may be loaded inside of a <span>child browsing context</span>. It
is obsoleted by the <code data-x="frame-ancestors directive">frame-ancestors</code> CSP directive,
which provides more granular control over the same situations. It was originally defined in
<cite>HTTP Header Field X-Frame-Options</cite>, but the definition<span w-nodev> and processing
model</span> here supersedes that document. <ref spec=CSP> <ref spec=RFC7034>

<p class="note">In particular, <cite>HTTP Header Field X-Frame-Options</cite> specified an <code
data-x="">ALLOW-FROM</code> variant of the header, but this is not to be implemented.</p>

<p class="note"><span w-nodev>Per the below processing model, if</span><span w-nohtml>If</span>
both CSP <code data-x="frame-ancestors directive">frame-ancestors</code> directive and
`<code>X-Frame-Options</code>` are used in the same <span
data-x="concept-response">response</span>, then `<code>X-Frame-Options</code>` is ignored.</p>

<p>TODO ABNF? Not sure of the normative status of those these days.</p>

<div w-nodev>

<p>To <dfn>check a navigation response's adherence to `<code>X-Frame-Options</code>`</dfn>, given
a <span data-x="concept-response">response</span> <var>response</var>, a <span>browsing
context</span> <var>browsingContext</var>, and an <span>origin</span>
<var>destinationOrigin</var>:</p>

<ol>
<li><p>If <var>browsingContext</var> is not a <span>child browsing context</span>, then return
true.</p></li>

<li>
<p><span data-x="list iterate">For each</span> <var>policy</var> of <var>response</var>'s <span
data-x="concept-response-csp-list">CSP list</span>:</p>

<ol>
<li><p>If <var>policy</var>'s <span data-x="csp-disposition">disposition</span> is not "<code
data-x="">enforce</code>", then <span>continue</span>.</p></li>

<li><p>If <var>policy</var>'s <span data-x="csp-directive-set">directive set</span> <span
data-x="list contains">contains</span> a <code data-x="frame-ancestors
directive">frame-ancestors</code> directive, then return true.</p></li>
</ol>
</li>

<li><p>Let <var>xFrameOptions</var> be the result of <span
data-x="concept-header-list-get-decode-split">getting, decoding, and splitting</span>
`<code>X-Frame-Options</code>` from <var>response</var>'s <span
data-x="concept-response-header-list">header list</span>.</p></li>

<li><p>If <var>xFrameOptions</var> <span data-x="list contains">contains</span> "<code
data-x="">DENY</code>", then return false.</p></li>

<li>
<p>If <var>xFrameOptions</var> <span data-x="list contains">contains</span> "<code
data-x="">SAMEORIGIN</code>", then:</p>

<ol>
<li><p>Let <var>ancestorBC</var> be <var>browsingContext</var>'s <span>parent browsing
context</span>.</p></li>

<li>
<p><span>While</span> <var>ancestorBC</var> is not null:</p>

<ol>
<li><p>Let <var>origin</var> be <var>ancestorBC</var>'s <span>active document</span>'s
<span>origin</span>.</p></li>

<li><p>If <var>origin</var> is not <span>same origin</span> with
<var>destinationOrigin</var>, then return false.</p></li>

<li><p>Set <var>ancestorBC</var> to <var>ancestorBC</var>'s <span>parent browsing
context</span>, if one exists; otherwise, null.</p></li>
</ol>
</li>
</ol>
</li>

<li><p>Return true.</p></li>
</ol>

</div>



<h3 split-filename="offline" id="offline">Offline web applications</h3> <!--APPCACHE-->

Expand Down Expand Up @@ -117289,6 +117377,29 @@ interface <dfn>External</dfn> {
</dl>


<h3>`<dfn><code>X-Frame-Options</code></dfn>`</h3>

<p>This section describes a header for registration in the Permanent Message Header Field
Registry. <ref spec=RFC3864></p>

<dl>
<dt>Header field name:</dt>
<dd>X-Frame-Options</dd>
<dt>Applicable protocol:</dt>
<dd>http</dd>
<dt>Status:</dt>
<dd>standard</dd>
<dt>Author/Change controller:</dt>
<dd>WHATWG</dd>
<dt>Specification document(s):</dt>
<dd>
This document is the relevant specification.
</dd>
<dt>Related information:</dt>
<dd>None.</dd>
</dl>


<h3><dfn><code data-x="scheme-web">web+</code> scheme prefix</dfn></h3>

<p>This section describes a convention for use with the IANA URI scheme registry. It does not
Expand Down Expand Up @@ -122237,6 +122348,9 @@ INSERT INTERFACES HERE
<dt id="refsRFC6596">[RFC6596]</dt>
<dd><cite><a href="https://tools.ietf.org/html/rfc6596">The Canonical Link Relation</a></cite>, M. Ohye, J. Kupke. IETF.</dd>

<dt id="refsRFC7034">[RFC7034]</dt>
<dd><cite><a href="https://tools.ietf.org/html/rfc7034">HTTP Header Field X-Frame-Options</a></cite>, D. Ross, T. Gondrom. IETF.</dd>

<dt id="refsRFC7303">[RFC7303]</dt>
<dd><cite><a href="https://tools.ietf.org/html/rfc7303">XML Media Types</a></cite>, H. Thompson, C. Lilley. IETF.</dd>

Expand Down

0 comments on commit 2dda722

Please sign in to comment.