Define X-Frame-Options processing

Closes #1230.
whatwg · Aug 7, 2020 · 7482877 · 7482877
1 parent 2333203
commit 7482877
Showing 1 changed file with 130 additions and 16 deletions.
diff --git a/source b/source
@@ -2507,6 +2507,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#process-response">process response</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-get-structured-header">getting a structured field value</dfn></li>
      <li><dfn data-x="concept-header-list-set" data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-set">set</dfn></li>
+     <li><dfn data-x="concept-header-list-get-decode-split" data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-get-decode-split">get, decode, and split</dfn></li>
      <li><dfn data-x="concept-fetch-terminate" data-x-href="https://fetch.spec.whatwg.org/#concept-fetch-terminate">terminate</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check">cross-origin resource policy check</dfn></li>
      <li>the <dfn data-x-href="https://fetch.spec.whatwg.org/#requestcredentials"><code>RequestCredentials</code></dfn> enumeration</li>
@@ -3792,6 +3793,8 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
 
     <ul class="brief">
      <li><dfn data-x-href="https://w3c.github.io/webappsec-csp/#content-security-policy-object">Content Security Policy</dfn></li>
+     <li><dfn data-x="csp-disposition" data-x-href="https://w3c.github.io/webappsec-csp/#policy-disposition">disposition</dfn></li>
+     <li><dfn data-x="csp-directive-set" data-x-href="https://w3c.github.io/webappsec-csp/#policy-directive-set">directive set</dfn></li>
      <li><dfn data-x-href="https://w3c.github.io/webappsec-csp/#directives">Content Security Policy directive</dfn></li>
      <li><dfn data-x="concept-csp-list" data-x-href="https://w3c.github.io/webappsec-csp/#csp-list">CSP list</dfn></li>
      <li>The <dfn data-x-href="https://w3c.github.io/webappsec-csp/#grammardef-serialized-policy">Content Security Policy syntax</dfn></li>
@@ -83030,24 +83033,26 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
     <p>If any of the following are true:</p>
 
     <ul>
-     <li><p><var>response</var> is a <span>network error</span>.</p></li>
+     <li><p><var>response</var> is a <span>network error</span>;</p></li>
 
-     <li><p class="XXX">TODO: Define <code data-x="">X-Frame-Options</code> processing here (tracked
-     as <a href="https://github.com/whatwg/html/issues/1230">issue #1230</a>).</p></li>
-
-     <li><p>The <span>Should navigation response to navigation request of type from source in target
-     be blocked by Content Security Policy?</span> algorithm returns "<code
-     data-x="">Blocked</code>" when executed upon <var>navigationParams</var>'s <span
-     data-x="navigation-params-request">request</span>, <var>response</var>,
+     <li><p>the result of <span>should navigation response to navigation request of type from source
+     in target be blocked by Content Security Policy?</span> given <var>navigationParams</var>'s
+     <span data-x="navigation-params-request">request</span>, <var>response</var>,
      <var>navigationType</var>, <var>source</var>, and <var>navigationParams</var>'s <span
-     data-x="navigation-params-browsing-context">browsing context</span>.
-     <ref spec="CSP"></p></li>
-
-     <li><p>The result of <span
-     data-x="check a navigation response's adherence to its embedder policy">checking a
-     navigation response's adherence to its embedder policy</span> with <var>response</var> and
-     <var>navigationParams</var>'s <span data-x="navigation-params-browsing-context">browsing
-     context</span> is false.</p></li>
+     data-x="navigation-params-browsing-context">browsing context</span> is "<code
+     data-x="">Blocked</code>"; <ref spec="CSP"></p></li>
+
+     <li><p>the result of <span data-x="check a navigation response's adherence to
+     `X-Frame-Options`">checking a navigation response's adherence to
+     `<code>X-Frame-Options</code>`</span> given <var>response</var>, <var>navigationParams</var>'s
+     <span data-x="navigation-params-browsing-context">browsing context</span>, and
+     <var>navigationParams</var>'s <span data-x="navigation-params-origin">origin</span> is
+     false; or</p></li>
+
+     <li><p>the result of <span data-x="check a navigation response's adherence to its embedder
+     policy">checking a navigation response's adherence to its embedder policy</span> given
+     <var>response</var> and <var>navigationParams</var>'s <span
+     data-x="navigation-params-browsing-context">browsing context</span> is false.</p></li>
     </ul>
 
     <p>then:</p>
@@ -84791,6 +84796,89 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
   </div>
 
+  <h4>The `<code>X-Frame-Options</code>` header</h4>
+
+  <p>The `<code>X-Frame-Options</code>` HTTP response header is a legacy way of controlling whether
+  and how a <code>Document</code> may be loaded inside of a <span>child browsing context</span>. It
+  is obsoleted by the <code data-x="frame-ancestors directive">frame-ancestors</code> CSP directive,
+  which provides more granular control over the same situations. It was originally defined in
+  <cite>HTTP Header Field X-Frame-Options</cite>, but the definition<span w-nodev> and processing
+  model</span> here supersedes that document. <ref spec=CSP> <ref spec=RFC7034>
+
+  <p class="note">In particular, <cite>HTTP Header Field X-Frame-Options</cite> specified an <code
+  data-x="">ALLOW-FROM</code> variant of the header, but this is not to be implemented.</p>
+
+  <p class="note"><span w-nodev>Per the below processing model, if</span><span w-nohtml>If</span>
+  both CSP <code data-x="frame-ancestors directive">frame-ancestors</code> directive and
+  `<code>X-Frame-Options</code>` are used in the same <span
+  data-x="concept-response">response</span>, then `<code>X-Frame-Options</code>` is ignored.</p>
+
+  <p>TODO ABNF? Not sure of the normative status of those these days.</p>
+
+  <div w-nodev>
+
+  <p>To <dfn>check a navigation response's adherence to `<code>X-Frame-Options</code>`</dfn>, given
+  a <span data-x="concept-response">response</span> <var>response</var>, a <span>browsing
+  context</span> <var>browsingContext</var>, and an <span>origin</span>
+  <var>destinationOrigin</var>:</p>
+
+  <ol>
+   <li><p>If <var>browsingContext</var> is not a <span>child browsing context</span>, then return
+   true.</p></li>
+
+   <li>
+    <p><span data-x="list iterate">For each</span> <var>policy</var> of <var>response</var>'s <span
+    data-x="concept-response-csp-list">CSP list</span>:</p>
+
+    <ol>
+     <li><p>If <var>policy</var>'s <span data-x="csp-disposition">disposition</span> is not "<code
+     data-x="">enforce</code>", then <span>continue</span>.</p></li>
+
+     <li><p>If <var>policy</var>'s <span data-x="csp-directive-set">directive set</span> <span
+     data-x="list contains">contains</span> a <code data-x="frame-ancestors
+     directive">frame-ancestors</code> directive, then return true.</p></li>
+    </ol>
+   </li>
+
+   <li><p>Let <var>xFrameOptions</var> be the result of <span
+   data-x="concept-header-list-get-decode-split">getting, decoding, and splitting</span>
+   `<code>X-Frame-Options</code>` from <var>response</var>'s <span
+   data-x="concept-response-header-list">header list</span>.</p></li>
+
+   <li><p>If <var>xFrameOptions</var> <span data-x="list contains">contains</span> "<code
+   data-x="">DENY</code>", then return false.</p></li>
+
+   <li>
+    <p>If <var>xFrameOptions</var> <span data-x="list contains">contains</span> "<code
+    data-x="">SAMEORIGIN</code>", then:</p>
+
+    <ol>
+     <li><p>Let <var>ancestorBC</var> be <var>browsingContext</var>'s <span>parent browsing
+     context</span>.</p></li>
+
+     <li>
+      <p><span>While</span> <var>ancestorBC</var> is not null:</p>
+
+      <ol>
+       <li><p>Let <var>origin</var> be <var>ancestorBC</var>'s <span>active document</span>'s
+       <span>origin</span>.</p></li>
+
+       <li><p>If <var>origin</var> is not <span>same origin</span> with
+       <var>destinationOrigin</var>, then return false.</p></li>
+
+       <li><p>Set <var>ancestorBC</var> to <var>ancestorBC</var>'s <span>parent browsing
+       context</span>, if one exists; otherwise, null.</p></li>
+      </ol>
+     </li>
+    </ol>
+   </li>
+
+   <li><p>Return true.</p></li>
+  </ol>
+
+  </div>
+
+
 
   <h3 split-filename="offline" id="offline">Offline web applications</h3> <!--APPCACHE-->
 
@@ -117210,6 +117298,29 @@ interface <dfn>External</dfn> {
   </dl>
 
 
+  <h3>`<dfn><code>X-Frame-Options</code></dfn>`</h3>
+
+  <p>This section describes a header for registration in the Permanent Message Header Field
+  Registry. <ref spec=RFC3864></p>
+
+  <dl>
+   <dt>Header field name:</dt>
+   <dd>X-Frame-Options</dd>
+   <dt>Applicable protocol:</dt>
+   <dd>http</dd>
+   <dt>Status:</dt>
+   <dd>standard</dd>
+   <dt>Author/Change controller:</dt>
+   <dd>WHATWG</dd>
+   <dt>Specification document(s):</dt>
+   <dd>
+    This document is the relevant specification.
+   </dd>
+   <dt>Related information:</dt>
+   <dd>None.</dd>
+  </dl>
+
+
   <h3><dfn><code data-x="scheme-web">web+</code> scheme prefix</dfn></h3>
 
   <p>This section describes a convention for use with the IANA URI scheme registry. It does not
@@ -122164,6 +122275,9 @@ INSERT INTERFACES HERE
    <dt id="refsRFC6596">[RFC6596]</dt>
    <dd><cite><a href="https://tools.ietf.org/html/rfc6596">The Canonical Link Relation</a></cite>, M. Ohye, J. Kupke. IETF.</dd>
 
+   <dt id="refsRFC7034">[RFC7034]</dt>
+   <dd><cite><a href="https://tools.ietf.org/html/rfc7034">HTTP Header Field X-Frame-Options</a></cite>, D. Ross, T. Gondrom. IETF.</dd>
+
    <dt id="refsRFC7303">[RFC7303]</dt>
    <dd><cite><a href="https://tools.ietf.org/html/rfc7303">XML Media Types</a></cite>, H. Thompson, C. Lilley. IETF.</dd>