Bug 285666
| Summary: | FF (0x0c) stripped from X-Frame-Options even though only HTTP whitespace should be stripped | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | jannis.rautenstrauch |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | achristensen, annevk, beidson, charliew, karlcow, m_finkel, webkit-bug-importer, wilander, youennf |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 18 | ||
| Hardware: | Unspecified | ||
| OS: | macOS 15 | ||
jannis.rautenstrauch
Form feeds (0x0c) are not allowed as spaces in X-Frame-Options that only allows HTTP whitespace(https://fetch.spec.whatwg.org/#http-whitespace). However, Blink strips these characters and for example blocks a resource with `X-Frame-Options: DENY\x0c`.
Example URL: http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=parsing&browser_id=1&label=XFO&first_id=3591&last_id=3591&scheme=http&t_resp_id=3591&t_element_relation=iframe_direct&t_resp_origin=https://headers.webappsec.eu
Related bug (VT):https://bugs.webkit.org/show_bug.cgi?id=272745, note that FF seem to be allowed in CSP which uses ascii-whitespace(https://w3c.github.io/webappsec-csp/#grammardef-optional-ascii-whitespace) which contains \x0c
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/143037737>
Anne van Kesteren
*** This bug has been marked as a duplicate of bug 272745 ***