Currently, XFO performs a same origin check only against the top-level frame in a document's ancestor chain. As lcamtuf notes in [1], "Any site that allows a rogue ad to be displayed in an IFRAME; or that frames third-party content for other reasons (e.g., iGoogle, Image Search results, Facebook gadgets), is effectively not protected)." We should check all ancestors instead.



Established standard

Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 60
  • Chrome for Android release 60
  • Android WebView release 60

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • No signal
  • No signal
  • No signals


Last updated on 2020-11-16