1

Imagine you have a spring boot application and you only want to create one page which can be embedded as iFrame. All other pages should still have the default x-frame-options: deny header.

  • I couldn't find a corresponding annotation (I expected something like the @CrossOrigin annotation, but generic for headers)
  • I tried to change the headers through the httpServletResponse but it seems that the security headers get overwritten afterwards
  • I tried to use http.antmatcher("/controller").frameOptions().disable() but this breaks the rest of my authentication - and I miss a .allow(domain) method

I know that I could create some filter code but I hope that there is a simpler solution.

Any ideas?

rdmueller
  • 10,742
  • 10
  • 69
  • 126
  • 1
    Possible duplicate of https://stackoverflow.com/questions/42111346/how-to-give-request-matcher-in-spring-security-for-x-frame-options – dur Oct 03 '18 at 09:24
  • thanx. I will give it a try but hoped for a solution without having to code... – rdmueller Oct 03 '18 at 10:34

2 Answers2

0

To allow iframe options only for a specific controller and not allow it for all the website this is my approach:

 @RequestMapping("/someiframepath")
    public String iframe(HttpServletResponse response, Model model) {
        response.setHeader("X-Frame-Options", "");
        .... DO SOMETHING ....
        return "your view";
    }

Hope it helps!

kimy82
  • 4,069
  • 1
  • 22
  • 25
-1

Setting these headers to the response worked for me.

response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", " frame-ancestors 'self'");

X-Frame-Options has been superseded by Content-Security-Policy (frame-ancestors) but it's not being supported by some browsers so it's better to set both for now. Reference: https://infosec.mozilla.org/guidelines/web_security#x-frame-options

Pat
  • 1