Search code examples
springspring-securityx-frame-options

WhiteListedAllowFromStrategy does not work

I'm using Spring Security 5.1.5.RELEASE and trying to set ALLOW FROM to X-Frame-Options

I use the WhiteListedAllowFromStrategy and pass a list of URLs to white list although the header that is sent is X-Frame-Options: DENY

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {

        String permittedRoutes [] = {"/", "/register"};

        http
            .headers()
                .frameOptions()
                    .disable()
                .addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("https://google.com"))));

        http
            .authorizeRequests()
                .antMatchers(permittedRoutes).permitAll()
                .and()
            .authorizeRequests()
                .antMatchers("/**").authenticated()
                .and()
            .formLogin()
                .loginPage("/")
                .defaultSuccessUrl("/home", true)
                .permitAll()
                .and()
            .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .permitAll()
                .invalidateHttpSession(true)
                .clearAuthentication(true)
                .deleteCookies("JSESSIONID")
                .logoutSuccessUrl("/?logout");
    }

    @Override
    public void configure(WebSecurity web) {
        web
            .ignoring()
                .antMatchers("/assets/**", "/css/**", "/images/**", "/js/**", "/fonts/**", "fonts.googleapis.com/**", "fonts.gstatic.com/**");
    }
}

Any leads?

Solution

  • To use the WhiteListedAllowFromStrategy, you have to add the x-frames-allow-from parameter (with the origin as value) to your request, see XFrameOptionsHeaderWriter with WhiteListedAllowFromStrategy doesn't work:

    rwinch commented on 21 Oct 2014

    You need to ensure that you have provided the origin using the x-frames-allow-from parameter and that origin must match one of the whitelisted origins.

    See also WhiteListedAllowFromStrategy#setAllowFromParameterName:

    public void setAllowFromParameterName(java.lang.String allowFromParameterName)

    Sets the HTTP parameter used to retrieve the value for the origin that is allowed from. The value of the parameter should be a valid URL. The default parameter name is "x-frames-allow-from".

    If you want to allow only one origin at all, you could use StaticAllowFromStrategy instead of WhiteListedAllowFromStrategy.