Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In the first draft of the X-Frame-Options spec, the Allow-From header was supposed to be formatted like this (note that colon before the domain):
X-Frame-Options: Allow-From: https://example.com
However, in the final spec there should be no colon:
X-Frame-Options: Allow-From https://example.com
SecKit currently includes the colon, which causes the header to be ignored by Internet Explorer.
Patch to follow.
Comment | File | Size | Author |
---|---|---|---|
#18 | 2811351-18-X-Frame-Options.patch | 4.47 KB | gg4 |
| |||
#17 | interdiff-2811351-13-17.txt | 621 bytes | gg4 |
#17 | 2811351-17-X-Frame-Options.patch | 8.9 KB | gg4 |
| |||
#13 | 2811351-13-X-Frame-Options.patch | 8.47 KB | gg4 |
#9 | seckit-2811351-4.patch | 1.9 KB | Dane Powell |
|
Comments
Comment #2
Dane Powell CreditAttribution: Dane Powell at Acquia commentedThis removes the colon to fix compatibility with IE and bring it up to spec.
Comment #4
Dane Powell CreditAttribution: Dane Powell at Acquia commentedFixing test case.
Comment #5
pifagorMake sure your patch please
Comment #6
pifagorComment #7
pifagorNo sooner :(
Diane Powell, add your patch #4 again, as in the simultaneous preservation disappeared. I'm sorry.
Comment #9
Dane Powell CreditAttribution: Dane Powell at Acquia commentedComment #10
jweowu CreditAttribution: jweowu at Catalyst IT commentedComment #11
Dane Powell CreditAttribution: Dane Powell at Acquia commentedComment #12
pdenooijer CreditAttribution: pdenooijer at Ibuildings commentedPatch 4 works fine :)!
Comment #13
gg4 CreditAttribution: gg4 commentedFollowing the spec a bit closer, see: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options. HTTP verbs should be capitalized.
Patch depends on #2914000: Coding Standard fixes.
Comment #15
gg4 CreditAttribution: gg4 commentedComment #17
gg4 CreditAttribution: gg4 commentedComment #18
gg4 CreditAttribution: gg4 commentedRe-roll of #17
Comment #19
mcdruidI think we fixed all of this in the 8.x-1.x branch in #3000696: X-FRAME-OPTIONS header syntax should be all caps
AFAICS it's not an issue in the D7 branch.
Therefore I'm closing this - please reopen if I've missed something.
Comment #20
gg4 CreditAttribution: gg4 commented#18 is just code cleanup at this point, but still makes sense to commit for consistency of naming conventions.
Comment #22
mcdruidFair enough; I'm not that crazy about the capitalised labels e.g.:
...but that's pretty much the standard's fault, not yours :)
Thanks @bonus (and @Dane Powell for the original patch).
Comment #23
pifagorThanks