search

apimall / chromiumembedded

Automatically exported from code.google.com/p/chromiumembedded
0 stars 1 forks source link

Can not disable web_security #1520

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Run cefclient.exe -disable-web-security or cefclient.exe 
--disable-web-security

What is the expected output? What do you see instead?
no

What version of the product are you using? On what operating system?
cef_binary_3.2217.1922_windows32 on Windows 8.1 x64

Please provide any additional information below.

Hi,
I want add youtube.com as iframe in my web. But it set 'X-Frame-Options' to 
'SAMEORIGIN'.
I see in cef_types.h comment: 
  // Controls whether web security restrictions (same-origin policy) will be
  // enforced. Disabling this setting is not recommend as it will allow risky
  // security behavior such as cross-site scripting (XSS). Also configurable
  // using the "disable-web-security" command-line switch.
  ///
  cef_state_t web_security;

and https://code.google.com/p/cefpython/wiki/BrowserSettings write:
web_security_disabled (bool)
Controls whether web security restrictions (same-origin policy) will be 
enforced. Disabling this setting is not recommend as it will allow risky 
security behavior such as cross-site scripting (XSS). Also configurable using 
the "disable-web-security" command-line switch.

Please help me some hint to do it!
Thanks.

Original issue reported on code.google.com by databack...@gmail.com on 4 Feb 2015 at 2:00

GoogleCodeExporter commented 9 years ago 
This may be a bug in Blink or it may be intentional design. You can file a bug 
report at http://crbug.com but I don't expect that it will be fixed. Here's 
what's happening:

When --disable-web-security is specified Settings::webSecurityEnabled() will 
return false in Blink and Document::initSecurityContext() will call 
grantUniversalAccess() on the Document's SecurityOrigin (setting 
SecurityOrigin::m_universalAccess = true):
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/So
urce/core/dom/Document.cpp&l=4723

In the case of loading youtube.com in an iframe here's the exact error message:

Refused to display 'https://www.youtube.com/' in a frame because it set 
'X-Frame-Options' to 'SAMEORIGIN'.

This message comes from Document::processHttpEquivXFrameOptions which calls 
FrameLoader::shouldInterruptLoadForXFrameOptions:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/So
urce/core/dom/Document.cpp&l=3015

The implementation of FrameLoader::shouldInterruptLoadForXFrameOptions compares 
against the document's default SecurityOrigin using  
SecurityOrigin::isSameSchemeHostPort:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/So
urce/core/loader/FrameLoader.cpp&rcl=1423113308&l=1286

The SecurityOrigin::isSameSchemeHostPort implementation does not check the 
value of |m_universalAccess| but instead just compares origin components:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/So
urce/platform/weborigin/SecurityOrigin.cpp&rcl=1423113308&l=510

Since the origin components do not match the load is denied.

Original comment by magreenb...@gmail.com on 5 Feb 2015 at 10:19