Move to Chrome/Safari processing model

domenic · domenic · commit 5353b0e971c7 · 2020-08-07T14:59:37.000-04:00
diff --git a/source b/source
@@ -84839,18 +84839,43 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
     </ol>
    </li>
 
-   <li><p>Let <var>xFrameOptions</var> be the result of <span
+   <li><p>Let <var>rawXFrameOptions</var> be the result of <span
    data-x="concept-header-list-get-decode-split">getting, decoding, and splitting</span>
    `<code>X-Frame-Options</code>` from <var>response</var>'s <span
    data-x="concept-response-header-list">header list</span>.</p></li>
 
-   <li><p>If <var>xFrameOptions</var> <span data-x="list contains">contains</span> a string that is
-   an <span>ASCII case-insensitive</span> match for "<code data-x="">deny</code>", then return
+   <li><p>Let <var>xFrameOptions</var> be a new <span>set</span>.</p></li>
+
+   <li><p><span data-x="list iterate">For each</span> <var>value</var> of
+   <var>rawXFrameOptions</var>, <span data-x="set append">append</span> <var>value</var>,
+   <span>converted to ASCII lowercase</span>, to <var>xFrameOptions</var>.</p></li>
+
+   <li>
+    <p>If <var>xFrameOptions</var>'s <span data-x="list size">size</span> is greater than 1, and
+    <var>xFrameOptions</var> <span data-x="list contains">contains</span> any of "<code
+    data-x="">deny</code>", "<code data-x="">allowall</code>", or "<code
+    data-x="">sameorigin</code>", then return false.</p>
+
+    <p class="note">The intention here is to block any attempts at applying
+    `<code>X-Frame-Options</code>` which were trying to do something valid, but appear confused.</p>
+
+    <p class="note">This is the only impact of the legacy "<code data-x="">ALLOWALL</code>" value
+    on the processing model.</p>
+   </li>
+
+   <li>
+    <p>If <var>xFrameOptions</var>'s <span data-x="list size">size</span> is greater than 1, then
+    return true.</p>
+
+    <p class="note">This means it contains multiple invalid values, which we treat the same way as
+    if the header was omitted entirely.</p>
+   </li>
+
+   <li><p>If <var>xFrameOptions</var>[0] is "<code data-x="">deny</code>", then return
    false.</p></li>
 
    <li>
-    <p>If <var>xFrameOptions</var> <span data-x="list contains">contains</span> a string that is an
-    <span>ASCII case-insensitive</span> match for "<code data-x="">sameorigin</code>", then:</p>
+    <p>If <var>xFrameOptions</var>[0] is "<code data-x="">sameorigin</code>", then:</p>
 
     <ol>
      <li><p>Let <var>ancestorDocument</var> be <var>browsingContext</var>'s <span
@@ -84874,11 +84899,61 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
     </ol>
    </li>
 
-   <li><p>Return true.</p></li>
+   <li>
+    <p>Return true.</p>
+
+    <p class="note">If we've reached this point then we have a lone invalid value (which could
+    potentially be one the legacy "<code data-x="">ALLOWALL</code>" or "<code
+    data-x="">ALLOW-FROM</code>" forms). These are treated as if the header were omitted
+    entirely.</p>
+   </li>
   </ol>
 
   </div>
 
+  <div class="example">
+   <p>The following table illustrates how various non-conformant cases involving multiple values are
+   processed:</p>
+
+   <table class="data">
+    <thead>
+     <tr>
+      <th>`<code>X-Frame-Options</code>`</th>
+      <th>Result</th>
+     </tr>
+    </thead>
+    <tbody>
+     <tr>
+      <td>`<code data-x="">SAMEORIGIN, SAMEORIGIN</code>`</td>
+      <td>same-origin embedding allowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">SAMEORIGIN, DENY</code>`</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">SAMEORIGIN, ALLOWALL</code>`</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">SAMEORIGIN, INVALID</code>`</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">ALLOWALL, INVALID</code>`</td>
+      <td>embedding disallowed</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">INVALID, INVALID</code>`</td>
+      <td>embedding allowed</td>
+     </tr>
+    </tbody>
+   </table>
+
+   <p>The same results are obtained whether the values are delivered in a single header, comma-delimited, or in
+   multiple headers.</p>
+  </div>
+
 
 
   <h3 split-filename="offline" id="offline">Offline web applications</h3> <!--APPCACHE-->
@@ -122277,7 +122352,7 @@ INSERT INTERFACES HERE
    <dd><cite><a href="https://tools.ietf.org/html/rfc6596">The Canonical Link Relation</a></cite>, M. Ohye, J. Kupke. IETF.</dd>
 
    <dt id="refsRFC7034">[RFC7034]</dt>
-   <dd><cite><a href="https://tools.ietf.org/html/rfc7034">HTTP Header Field X-Frame-Options</a></cite>, D. Ross, T. Gondrom. IETF.</dd>
+   <dd>(Non-normative) <cite><a href="https://tools.ietf.org/html/rfc7034">HTTP Header Field X-Frame-Options</a></cite>, D. Ross, T. Gondrom. IETF.</dd>
 
    <dt id="refsRFC7303">[RFC7303]</dt>
    <dd><cite><a href="https://tools.ietf.org/html/rfc7303">XML Media Types</a></cite>, H. Thompson, C. Lilley. IETF.</dd>
