Provide guidance on using X-Frame-Options with SockJS iframe transports [SPR-11496]

[spring-projects-issues]

Rossen Stoyanchev opened SPR-11496 and commented

SockJS has a couple of iframe-based transports. Those transports fail when using the Spring Security Java config, which automatically adds the X-Frame-Options: DENY response header (see documentation). Adding the following for example seems to work:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .headers().addHeaderWriter(
        new XFrameOptionsHeaderWriter(
            XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
        .and()

    ...

  }
}

---

Affects: 4.0.2

Issue Links:

• Doc: SockJS not working in IE9 when Spring Security is enabled [SPR-11525] #16150 Doc: SockJS not working in IE9 when Spring Security is enabled ("is duplicated by")
• SEC-2501 Provide a simpler way to customize X-Frame-Options mode used by default in the Java config

Referenced from: commits 15188a8

[spring-projects-issues]

Rossen Stoyanchev commented

Note that the above configuration example succeeds in customizing the X-Frame-Options header value but disables other security related headers added by default. See SEC-2501.