** Prior Bug 1584998 -> the framing was allowed So now framing into a top-level document originating from is cross origin in my opinion, so our current implementation blocks it. Please note that there is no CSP which would render the XFO obsolete. The response header of that iframe load also includes XFO: SAMEORIGIN. The page then includes an iframe (see exact source of the iframe inclusion underneath) from. So XFO would be ignored on that page because of frame-ancestors, but any of that has nothing to do with the problem here.
#Firefox blocking https iframe react plus#
Visiting indicates that this document is using the response header XFO: sameorigin plus a CSP including frame-ancestors. There is definitely something wrong with our implementation of XFO, but I don't know what it is at this point. Setting the header should not prevent from loading from within the page as it currently does.
Seems to confirm this, the "x-frame-options: sameorigin" should prevent other pages from loading "within a iframe. Nightly prevented this page from loading in this context because the page has an X-Frame-Options policy that disallows it. The Embedded Google Maps portion of the page ( ) shows the following error: Blocked by X-Frame-Options PolicyĪn error occurred during a connection to. "x-frame-options: sameorigin" header set. This site has Google Maps Embedded in the webpage and uses the: Updated Firefox Nightly to 72.0a1 () (64-bit).
0 kommentar(er)
