New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2501: Provide a simpler way to customize X-Frame-Options mode used by default in the Java config #2718

Closed
spring-issuemaster opened this Issue Feb 28, 2014 · 2 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster

spring-issuemaster commented Feb 28, 2014

Rossen Stoyanchev (Migrated from SEC-2501) said:

Customizing the X-Frame-Options mode used by default in the Java config is not an unlikely customization. For example the SockJS protocol has two iframe based protocols, which are actually the main choice when running in IE 8, 9. Both transports fail with Spring Security's Java config out of the box.

A customization like this is possible:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .headers().addHeaderWriter(
        new XFrameOptionsHeaderWriter(
            XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
        .and()

    ...

  }
}

It would be nice to get a simpler syntax for this customization.

The second challenge is in customizing the X-Frame-Options value via .headers(), I've actually disabled all other security. This is actually not obvious and there is also no convenient recourse. I suppose I could re-enable all of them but I would have to keep checking with every new Spring Security release if there are others. It would be much better if I could customize the X-Frame-Options header only.

@spring-issuemaster

This comment has been minimized.

spring-issuemaster commented Jan 26, 2015

Rob Winch said:

Needs to easily support

  • Customize existing default - i.e. how to change X-FRAME-OPTIONS from DENY to SAMEORIGIN and preserve all default headers
  • Remove an existing default - i.e. Remove HSTS, but preserve all other default headers
  • Add another header to the defaults - i.e. Add a custom header and preserve all other default headers
  • Disable all the defaults and allow only custom configuration
  • Disable all the defaults and easily add some combination of the defaults and adding custom
@spring-issuemaster

This comment has been minimized.

spring-issuemaster commented Feb 10, 2015

Rob Winch said:

I created SEC-2846 to track this issue because the problem should:

  • Include customizing all headers
  • Work in XML Configuration
  • As mentioned in the description of this issue, be more obvious when default headers are disabled
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment