Add CSP 1.1 frame-ancestors support [SPR-12699]

[spring-projects-issues]

Sébastien Deleuze opened SPR-12699 and commented

The purpose of this issue is adding CSP 1.1 frame-ancestors support in order to be able to enable Iframe based transports when an origin check is enabled.

X-Frame-Options: ALLOW-FROM uri is only supported by IE and Firefox. Chrome and Safari will support a similar functionality thanks to CSP 1.1 frame-ancestors. Currently, you still need to add flag to Chrome to enable frame-ancestors support (they seem to wait CSP 1.1 final to be published to make it available by default), and it is not yet supported in Safari. So until Safari and Chrome support it, we have to disable Iframe based transports when an origin check is specified by the user.

We should implement this when CSP 1.1 will supported by Safari and Chrome (I hope in 4.2 timeframe).

---

Issue Links:

• AbstractSockJsService.checkAndAddCorsHeaders fails for same origin requests when setAllowedOrigins is set [SPR-12660] #17260 AbstractSockJsService.checkAndAddCorsHeaders fails for same origin requests when setAllowedOrigins is set

[spring-projects-issues]

Sébastien Deleuze commented

frame-ancestors is now supported out of the box by Chrome and Firefox, but Safari still does not support it. I think we need this to be supported (with X-Frame-Options: ALLOW-FROM uri or frame-ancestors) on all the major browsers to enable this functionality, otherwise that could be a security issue, so we are waiting Safari support to progress on this issue.

[spring-projects-issues]

Sébastien Deleuze commented

Still no progress on Safari side, so I bring back this issue to the General Backlog ...

[spring-projects-issues]

Sébastien Deleuze commented

CSP 2.0 support has been just added in Safari 10.

[spring-projects-issues]

Sébastien Deleuze commented

Safari 10 will only be available with MacOS Sierra (not released yet), so I move this issue to 5.0 M3 to be able to do proper testing.

[spring-projects-issues]

Sébastien Deleuze commented

After a deeper look, I prefer closing this issue as won't fix.

frame-ancestors is now supported in Chrome and Safari 10, but X-Frame-Options has a limitation I did not initially identified : it supports only a single uri, making it not really usable for our use case where we support allowing multiple origins. And we have no way to avoid cross origin usage of iframes for older browser like Safari 9 and previous versions. So I think that's safer to keep current restriction : no Iframe based transport when an origin check is required.