X-Frame-Options: SAMEORIGIN matches all ancestors.

Currently, XFO performs a same origin check only against the top-level frame in a document's ancestor chain. As lcamtuf notes in [1], "Any site that allows a rogue ad to be displayed in an IFRAME; or that frames third-party content for other reasons (e.g., iGoogle, Image Search results, Facebook gadgets), is effectively not protected)." We should check all ancestors instead.

Documentation

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Specification

Established standard

Status in Chromium

Blink components: Blink>SecurityFeature

Enabled by default (tracking bug) in:

• Chrome for desktop release 60
• Chrome for Android release 60
• Android WebView release 60

Consensus & Standardization

• Firefox: Public support
• Edge: No public signals
• Safari: No public signals
• Web Developers: No signals

Owner

• mkwst@chromium.org

Last updated on 2017-10-24