Consider making X-Frame-Options: deny to create a new browsing context group
#4218
Labels
Comments
|
X-Frame-Options: deny & X-Frame-Options: sameorigin (when navigating cross-origin). |
rniwa
changed the title
X-Frame-Options: deny to create a new browsing context groupX-Frame-Options: deny to create a new browsing context group when navigating cross-site
rniwa
changed the title
X-Frame-Options: deny to create a new browsing context group when navigating cross-siteX-Frame-Options: deny to create a new browsing context group
|
I'd be worried about OAuth providers setting this and no longer functioning afterwards, but it's worth experimenting with. What is the exact behavior you are going for? Some scenarios:
|
annevk
added
addition/proposal
|
(This depends on #1230.) |
|
Both Google and Facebook OAuth popups seem to serve "X-Frame-Options: deny" (tested on Yelp.com) and yet rely on having an opener. I do not think this would be Web-compatible. |
|
Given this observation, we would recede this proposal. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While exploring the latest proposal in #3740, we came to realization that much of the security benefits & needs of the header coincides with that of
X-Frame-Options: denywith regards to severing opener and creating a new namespace for frames, etc..Namely, websites that opts to set
X-Frame-Options: denyoften don't want other websites to be able to click jack, be able to navigate frames within the website, etc... We think almost all websites that currently opts to useX-Frame-Options: denyalso want to sever opener relationship as well if they could.Therefore we propose to make
X-Frame-Options: denysever the opener relationship by creating a new browsing context group as well, and we intend to experiment this behavior in WebKit.The text was updated successfully, but these errors were encountered: