Why does only IE check the X-Frame-Options Header when iFrame src sends a file?
Question
Debugging a strange problem, I stumbled across an interesting behaviour:
On a web page, I trigger a file download with the following JavaScript code:
var iframe = document.createElement("iframe");
iframe.src = 'download.php';
document.body.appendChild(iframe);
The PHP script download.php sends a text file with the X-Frame-Options header set to DENY:
<?php
header('X-Frame-Options: DENY');
header('Content-type: text/plain');
header('Content-Disposition: attachment; filename="text.txt"');
?>
Text
Chrome and Firefox allow the file download, IE 11 shows an iframe with a message saying the content can't be embedded.
What is the correct behaviour? To me, it makes much more sense what IE does.
1 answers
solution1
1 ACCPTED 2016-05-23 14:38:17
X-Frame-Options exists to prevent click-jacking. Preventing a file from being downloaded is not something that X-Frame-Options aims to achieve, since such a restriction can easily be bypassed by opening a link in a new window.
Therefore the behavior of Chrome and Firefox is correct.
(See also https://crbug.com/331211 "The X-Frame-Options flags aren't intended to prevent downloading. They only prevent displaying the page as a subframe.")
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.