X-Frame-Options: SAMEORIGIN matches all ancestors.

Currently, XFO performs a same origin check only against the top-level frame in a document's ancestor chain. As lcamtuf notes in [1], "Any site that allows a rogue ad to be displayed in an IFRAME; or that frames third-party content for other reasons (e.g., iGoogle, Image Search results, Facebook gadgets), is effectively not protected)." We should check all ancestors instead.

Documentation

Specification

Established standard

Status in Chromium

Blink>SecurityFeature


Enabled by default (tracking bug) in:

  • Chrome for desktop release 60
  • Chrome for Android release 60
  • Android WebView release 60
  • Opera release 47
  • Opera for Android release 47

Consensus & Standardization

  • Public support
  • No public signals
  • No public signals
  • No signals

Owner

Last updated on 2017-10-24