script: Implement support for X-Frame-Options (#43539)

We now check for this header and corresponding logic. The WPT tests mostly pass, but rely on the `contentDocument` of the iframe to be `null`. This is not something we did before, which means that iframes were able to access the contents of error pages. Instead, we now mark the document as internal with an opaque origin according to the spec [1]. We shouldn't do this post-fact, but is required since we first need to construct the document and enter its realm, before we determine that it is an invalid document. Fixes #16103 [1]: https://html.spec.whatwg.org/multipage/document-lifecycle.html#navigate-ua-inline Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2026-04-27 09:57:23 +02:00 · 2026-03-23 07:14:27 +01:00
parent 047e3210d7
commit 01a29209b2
14 changed files with 231 additions and 25 deletions
--- a/components/script/dom/html/htmliframeelement.rs
+++ b/components/script/dom/html/htmliframeelement.rs
@@ -958,7 +958,7 @@ impl HTMLIFrameElementMethods<crate::DomTypeHolder> for HTMLIFrameElement {
        if !self
            .owner_document()
            .origin()
-            .same_origin_domain(document.origin())
+            .same_origin_domain(&document.origin())
        {
            return None;
        }