Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide guidance on using X-Frame-Options with SockJS iframe transports [SPR-11496] #16121

Closed
spring-projects-issues opened this issue Feb 28, 2014 · 1 comment
Assignees
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: documentation A documentation task
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

spring-projects-issues commented Feb 28, 2014

Rossen Stoyanchev opened SPR-11496 and commented

SockJS has a couple of iframe-based transports. Those transports fail when using the Spring Security Java config, which automatically adds the X-Frame-Options: DENY response header (see documentation). Adding the following for example seems to work:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .headers().addHeaderWriter(
        new XFrameOptionsHeaderWriter(
            XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
        .and()

    ...

  }
}

Affects: 4.0.2

Issue Links:

Referenced from: commits 15188a8

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Feb 28, 2014

Rossen Stoyanchev commented

Note that the above configuration example succeeds in customizing the X-Frame-Options header value but disables other security related headers added by default. See SEC-2501.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: documentation A documentation task
Projects
None yet
Development

No branches or pull requests

2 participants