Skip to content
Permalink
Browse files
X-Frame-Options HTTP headers with an empty value are incorrectly bein…
…g ignored

https://bugs.webkit.org/show_bug.cgi?id=244889

Reviewed by Geoffrey Garen and Brent Fulgham.

X-Frame-Options HTTP headers with an empty value are incorrectly being ignored.
The issue was that we were using split() instead of splitAllowingEmptyEntries(),
which was causing us to skip empty header values.

* LayoutTests/imported/w3c/web-platform-tests/x-frame-options/multiple-expected.txt:
* Source/WebCore/platform/network/HTTPParsers.cpp:
(WebCore::parseXFrameOptionsHeader):

Canonical link: https://commits.webkit.org/254245@main
  • Loading branch information
cdumez committed Sep 7, 2022
1 parent b570177 commit 8c97181d75591874ad4312a0d1df22ff5d6a8fa0
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 7 deletions.
@@ -42,9 +42,9 @@ PASS `"DENY";SAMEORIGIN` blocks cross-origin framing
PASS `SAMEORIGIN,"DENY"` blocks cross-origin framing
PASS `"DENY",SAMEORIGIN` blocks cross-origin framing
PASS `SAMEORIGIN;` blocks same-origin framing
FAIL `(the empty string);SAMEORIGIN` blocks same-origin framing assert_equals: expected null but got Document node with 2 children
FAIL `SAMEORIGIN,(the empty string)` blocks same-origin framing assert_equals: expected null but got Document node with 2 children
FAIL `(the empty string),SAMEORIGIN` blocks same-origin framing assert_equals: expected null but got Document node with 2 children
PASS `(the empty string);SAMEORIGIN` blocks same-origin framing
PASS `SAMEORIGIN,(the empty string)` blocks same-origin framing
PASS `(the empty string),SAMEORIGIN` blocks same-origin framing
PASS `SAMEORIGIN;` blocks cross-origin framing
PASS `(the empty string);SAMEORIGIN` blocks cross-origin framing
PASS `SAMEORIGIN,(the empty string)` blocks cross-origin framing
@@ -84,9 +84,9 @@ PASS `INVALID;ALLOWALL` blocks cross-origin framing
PASS `ALLOWALL,INVALID` blocks cross-origin framing
PASS `INVALID,ALLOWALL` blocks cross-origin framing
PASS `ALLOWALL;` blocks same-origin framing
FAIL `(the empty string);ALLOWALL` blocks same-origin framing assert_equals: expected null but got Document node with 2 children
FAIL `ALLOWALL,(the empty string)` blocks same-origin framing assert_equals: expected null but got Document node with 2 children
FAIL `(the empty string),ALLOWALL` blocks same-origin framing assert_equals: expected null but got Document node with 2 children
PASS `(the empty string);ALLOWALL` blocks same-origin framing
PASS `ALLOWALL,(the empty string)` blocks same-origin framing
PASS `(the empty string),ALLOWALL` blocks same-origin framing
PASS `ALLOWALL;` blocks cross-origin framing
PASS `(the empty string);ALLOWALL` blocks cross-origin framing
PASS `ALLOWALL,(the empty string)` blocks cross-origin framing
@@ -559,7 +559,7 @@ XFrameOptionsDisposition parseXFrameOptionsHeader(StringView header)
if (header.isEmpty())
return result;

for (auto currentHeader : header.split(',')) {
for (auto currentHeader : header.splitAllowingEmptyEntries(',')) {
currentHeader = currentHeader.stripWhiteSpace();
XFrameOptionsDisposition currentValue = XFrameOptionsDisposition::None;
if (equalLettersIgnoringASCIICase(currentHeader, "deny"_s))

0 comments on commit 8c97181

Please sign in to comment.