X-Frame-Options: SAMEORIGIN matches all ancestors.

Feature: X-Frame-Options: SAMEORIGIN matches all ancestors.

Currently, XFO performs a same origin check only against the top-level frame in a document's ancestor chain. As lcamtuf notes in [1], "Any site that allows a rogue ad to be displayed in an IFRAME; or that frames third-party content for other reasons (e.g., iGoogle, Image Search results, Facebook gadgets), is effectively not protected)." We should check all ancestors instead.

Enabled by default (tracking bug) in:

Chrome for desktop release 60
Chrome for Android release 60
Android WebView release 60

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Positive
Edge: No signal
Safari: No signal
Web Developers: No signals

Owner

mkwst@chromium.org

Last updated on 2020-11-16

Feature: X-Frame-Options: SAMEORIGIN matches all ancestors.

Documentation

Specification

Status in Chromium

Consensus & Standardization

Owner