New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XFrameOptionsHeaderWriter with WhiteListedAllowFromStrategy doesn't work. #123
Comments
I am also seeing an issue with WhiteListedAllowFromStrategy. If I use this headers() configuration:
The following response header is generated:
Using StaticAllowFromStrategy for a single origin works fine:
produces
|
Exactly, StaticAllowFromStrategy is not an issue, the problem is occurring with only WhiteListedAllowFromStrategy. |
You need to ensure that you have provided the origin using the x-frames-allow-from parameter and that origin must match one of the whitelisted origins. |
On Spring Boot 1.5.12.RELEASE (configures spring-security 4.2.5.RELEASE), I'm seeing the exact behavior as described by @jalfonso |
The |
I have this JavaConfig set up for spring security (extending WebSecurityConfigurerAdapter and @EnableWebSecurity)
And I add header writer from xframe to http using following.
Context boots up properly but now when I start using the application, always the header coming in request is DENY so the response goes with the same header as per
writeHeaders
method in XFrameOptionsHeaderWriter.Shouldn't my header contain all the ALLOW-FROM : specified by my config?
The text was updated successfully, but these errors were encountered: