Allow-From is a value that is currently only supported by Firefox and Internet Explorer/Edge. With Edge moving to a Chromium source base this will mean Firefox will be the only implementer of this part of the standard.
Chrome marked an issue to support allow-from as wont-fix: https://bugs.chromium.org/p/chromium/issues/detail?id=129139 Webkit also marked the bug as wont-fix around the same time frame-ancestors was added to their browser: https://bugs.webkit.org/show_bug.cgi?id=94836 In a draft version of the standard there was an AllAncestors flag that was never added to the specification: https://tools.ietf.org/id/draft-gondrom-frame-options-02.txt this would have permitted web servers to prevent framing across all of the ancestor chain. The standard never made it clear if the whole ancestor chain should be inspected and so implementations have varied. Chrome and Firefox now(https://bugzilla.mozilla.org/show_bug.cgi?id=725490) implement this as the default for all X-Frame-Options SAMEORIGIN header responses. However this same behaviour wasn’t added to Allow-From as Chrome doesn’t implement the Allow-From value. This would cause Firefox to cause breakage on sites that worked on Chrome for a limited advantage in security. Because of the confusing implementation of how Allow-From is implemented in contrast to SameOrigin, I think it makes sense to suggest that all developers should be instead be using the Frame-Ancestors directive in CSP which is a viable alternative that is consistently implemented across all modern browsers. Additionally this feature isn’t covered by cross browser web platform tests. Currently Chrome issues a console warning for an X-Frame-Options header that has the Allow-From keyword or anything it is unable to parse, this patch will also implement the warning for developers. In the case of a Allow-From Firefox will also fail open in the same manner, permitting framing by any domain. Work will be tracked in: https://bugzilla.mozilla.org/show_bug.cgi?id=1301529 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
