X-Frame-Options: SAMEORIGIN matches all ancestors.

Currently, XFO performs a same origin check only against the top-level frame in a document's ancestor chain. As lcamtuf notes in [1], "Any site that allows a rogue ad to be displayed in an IFRAME; or that frames third-party content for other reasons (e.g., iGoogle, Image Search results, Facebook gadgets), is effectively not protected)." We should check all ancestors instead.

Specification

Established standard

Status in Chromium

In development (launch bug)

Consensus & Standardization

  • Public support
  • No public signals
  • No public signals
  • No signals

Owner

Last updated on 2017-05-12