RESOLVED DUPLICATE of bug 272745285666
FF (0x0c) stripped from X-Frame-Options even though only HTTP whitespace should be stripped
https://bugs.webkit.org/show_bug.cgi?id=285666
Summary FF (0x0c) stripped from X-Frame-Options even though only HTTP whitespace shou...
jannis.rautenstrauch
Reported 2025-01-09 03:10:40 PST
Form feeds (0x0c) are not allowed as spaces in X-Frame-Options that only allows HTTP whitespace(https://fetch.spec.whatwg.org/#http-whitespace). However, Blink strips these characters and for example blocks a resource with `X-Frame-Options: DENY\x0c`. Example URL: http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=parsing&browser_id=1&label=XFO&first_id=3591&last_id=3591&scheme=http&t_resp_id=3591&t_element_relation=iframe_direct&t_resp_origin=https://headers.webappsec.eu Related bug (VT):https://bugs.webkit.org/show_bug.cgi?id=272745, note that FF seem to be allowed in CSP which uses ascii-whitespace(https://w3c.github.io/webappsec-csp/#grammardef-optional-ascii-whitespace) which contains \x0c
Attachments
Radar WebKit Bug Importer
Comment 1 2025-01-16 03:11:15 PST
Anne van Kesteren
Comment 2 2026-01-26 12:23:24 PST
*** This bug has been marked as a duplicate of bug 272745 ***
Note You need to log in before you can comment on or make changes to this bug.