15

I have two web applications: web application (web-app) and report web. I want to embedded report web in web-app in a <iframe>. So it refused by Browser with the error:

X-Frame-Options: DENY

Any help?

flavio.donze
  • 7,432
  • 9
  • 58
  • 91
haizpt
  • 245
  • 1
  • 3
  • 5

3 Answers3

19

The value of X-Frame-options can be DENY (default), SAMEORIGIN, and ALLOW-FROM uri. According to Spring Security documentation you can tell Spring to overwrite the default behaviour adding your custom header that way:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .headers()
            .addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("www.yourhostname.com"))))
    ...
}

and Spring shall append X-Frame-Options: ALLOW-FROM ... or

 .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

for X-Frame-Options: SAMEORIGIN or make it completely disable by

http.headers().frameOptions().disable()
m c
  • 1,104
  • 1
  • 12
  • 21
9

EDIT (06.2020) - The X-Frame options are OBSOLETE:

"The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored."
https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options

so consider using content-security-policy:

<headers>
    <content-security-policy policy-directives="frame-ancestors 'self'"/>
</headers>

If you are using Spring Security 4.x the following configuration will solve your problem (assuming the webapp runs on the same server address).

XML configuration:

<http>
    <!-- ... -->

    <headers>
        <frame-options policy="SAMEORIGIN" />
    </headers>
</http>

Java configuration:

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        // ...
        .headers().frameOptions().sameOrigin();
    }
}

Disable Configuration

You could also just disable it, being aware of the security risk.

http.headers().frameOptions().disable();


Background Information

In Spring Security 3.2.0, security headers were introduced, but were disabled by default:
http://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/

In Spring Security 4.x the headers are enabled by default (for IFrames: X-Frame-Options: DENY): "Spring Security 4.x has changed both the Java Configuration and XML Configuration to require explicit disabling of defaults."
http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html#m3to4-header

source: http://docs.spring.io/autorepo/docs/spring-security/4.0.x/reference/html/headers.html#headers-frame-options

flavio.donze
  • 7,432
  • 9
  • 58
  • 91
  • No. Your Java listing will not compile (even though the docs say it will). – Erica Kane May 05 '16 at 17:10
  • Well you need to remove the "// ..." part since this is not java syntax and stands for previous configurations of the `HttpSecurity http` object. – flavio.donze May 06 '16 at 06:15
  • I did all of that. It doesn't work. The docs are wrong, as they are in a few places with respect to the Java configuration of headers. @medveshonok117 has the right answer. – Erica Kane May 06 '16 at 17:07
  • What's wrong? You get a compile error? Configuration `configure()` doesn't get called? – flavio.donze May 07 '16 at 06:05
  • The problem comes in if you have multiple header options to configure. And while there are zero examples given in the documentation, I did eventually figure it out. In most cases you need to use multiple copies of `.and()` in a row. – Erica Kane May 09 '16 at 17:40
0

You can use 

<headers>
  <frame-options policy="SAMEORIGIN"/>
</headers>

inside your <http> configuration in your security application context XML

Tzvika Stein
  • 1
  • 1