Closed GoogleCodeExporter closed 9 years ago
This may be a bug in Blink or it may be intentional design. You can file a bug
report at http://crbug.com but I don't expect that it will be fixed. Here's
what's happening:
When --disable-web-security is specified Settings::webSecurityEnabled() will
return false in Blink and Document::initSecurityContext() will call
grantUniversalAccess() on the Document's SecurityOrigin (setting
SecurityOrigin::m_universalAccess = true):
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/So
urce/core/dom/Document.cpp&l=4723
In the case of loading youtube.com in an iframe here's the exact error message:
Refused to display 'https://www.youtube.com/' in a frame because it set
'X-Frame-Options' to 'SAMEORIGIN'.
This message comes from Document::processHttpEquivXFrameOptions which calls
FrameLoader::shouldInterruptLoadForXFrameOptions:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/So
urce/core/dom/Document.cpp&l=3015
The implementation of FrameLoader::shouldInterruptLoadForXFrameOptions compares
against the document's default SecurityOrigin using
SecurityOrigin::isSameSchemeHostPort:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/So
urce/core/loader/FrameLoader.cpp&rcl=1423113308&l=1286
The SecurityOrigin::isSameSchemeHostPort implementation does not check the
value of |m_universalAccess| but instead just compares origin components:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/So
urce/platform/weborigin/SecurityOrigin.cpp&rcl=1423113308&l=510
Since the origin components do not match the load is denied.
Original comment by magreenb...@gmail.com
on 5 Feb 2015 at 10:19
Original issue reported on code.google.com by
databack...@gmail.com
on 4 Feb 2015 at 2:00