Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XFrameOptionsHeaderWriter with WhiteListedAllowFromStrategy doesn't work. #123

Closed
indyaah opened this issue Aug 26, 2014 · 5 comments
Closed

XFrameOptionsHeaderWriter with WhiteListedAllowFromStrategy doesn't work. #123

indyaah opened this issue Aug 26, 2014 · 5 comments

Comments

@indyaah
Copy link

indyaah commented Aug 26, 2014

I have this JavaConfig set up for spring security (extending WebSecurityConfigurerAdapter and @EnableWebSecurity)

And I add header writer from xframe to http using following.

...
http().addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(getWhitelistUrls())))
...
    private List<String> getWhitelistUrls(){
        String urls = environment.getProperty("application.whitelist.urls");
        return Arrays.asList(urls.split("\\s*,\\s*"));
    }

Context boots up properly but now when I start using the application, always the header coming in request is DENY so the response goes with the same header as per writeHeaders method in XFrameOptionsHeaderWriter.

Shouldn't my header contain all the ALLOW-FROM : specified by my config?
@jalfonso
Copy link

I am also seeing an issue with WhiteListedAllowFromStrategy. If I use this headers() configuration:

.addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("http://example.com"))))

The following response header is generated:

X-Frame-Options:ALLOW-FROM DENY

Using StaticAllowFromStrategy for a single origin works fine:

.addHeaderWriter(new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(new URI("http://example.com"))))

produces

X-Frame-Options:ALLOW-FROM http://example.com

@indyaah
Copy link
Author

indyaah commented Sep 15, 2014

Exactly, StaticAllowFromStrategy is not an issue, the problem is occurring with only WhiteListedAllowFromStrategy.

@rwinch
Copy link
Member

rwinch commented Oct 21, 2014

You need to ensure that you have provided the origin using the x-frames-allow-from parameter and that origin must match one of the whitelisted origins.

@rwinch rwinch closed this as completed Oct 21, 2014
@sniederb
Copy link

sniederb commented Aug 5, 2018

On Spring Boot 1.5.12.RELEASE (configures spring-security 4.2.5.RELEASE), I'm seeing the exact behavior as described by @jalfonso

@schuch
Copy link

schuch commented Dec 14, 2018

I am also seeing an issue with WhiteListedAllowFromStrategy. If I use this headers() configuration:

.addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("http://example.com"))))

The following response header is generated:

X-Frame-Options:ALLOW-FROM DENY

Using StaticAllowFromStrategy for a single origin works fine:

.addHeaderWriter(new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(new URI("http://example.com"))))

produces

X-Frame-Options:ALLOW-FROM http://example.com

The ALLOW FROM DENY issue was fixed with #4559

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rwinch @indyaah @jalfonso @schuch @sniederb