All geek questions in one place

How to configure X-Frame-Options response header to use values ​​(s) using spring java config?

How to configure X-Frame-Options response header with allow-from value using spring java config?

http.headers().disable() .addHeaderWriter(new XFrameOptionsHeaderWriter( new WhiteListedAllowFromStrategy( Arrays.asList("https://example1.com", "https://example2.com"))));

In the Http Response headers, I get:

X-Frame-Options: "ALLOW-FROM DENY".

Why aren't my roots listed in the header value?

+7
source share
3 answers

I ended up adding my headers statically, as shown below:

 http .headers().frameOptions().disable() .addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM example1.com"));
+4
source

I searched the same and did not find the answer. No matter how I tried to set it up, the title was always wrong.

My workaround for using delegation of header header from Spring doc framework

Thanks to this, I built the logic to always set SAMEORIGIN, excluding some whitelist:

 new DelegatingRequestMatcherHeaderWriter( new NegatedRequestMatcher( new OrRequestMatcher( whiteLists ) ), new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN);

Logic: if any of the whitelists matches, then do not add a title, otherwise add a title with a SAMEORIGIN value.

I think it's worth considering, because AFAIK not all browsers support ALLOW-FROM.

0
source 
 //disable 默认策略。 这一句不能省。 http.headers().frameOptions().disable(); //新增新的策略。 http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter( new WhiteListedAllowFromStrategy( Arrays.asList("http://itaobops.aliexpress.com", "https://cpp.alibaba-inc.com", "https://pre-cpp.alibaba-inc.com"))));
0
source

Source: https://habr.com/ru/post/1232751/

More articles:


All Articles