X-Frame-Options: SAMEORIGIN matches all ancestors.

Feature: X-Frame-Options: SAMEORIGIN matches all ancestors.

Currently, XFO performs a same origin check only against the top-level frame in a document's ancestor chain. As lcamtuf notes in [1], "Any site that allows a rogue ad to be displayed in an IFRAME; or that frames third-party content for other reasons (e.g., iGoogle, Image Search results, Facebook gadgets), is effectively not protected)." We should check all ancestors instead.

Documentation

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Specification

Specification link

Status: Final published standard: Recommendation, Living Standard, Candidate Recommendation, or similar final form

Status in Chromium

Blink components: Blink>SecurityFeature

Implementation status: Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Positive
Edge: No signal
Safari: No signal
Web Developers: No signals

Owner

mkwst@chromium.org

Last updated on 2020-11-16