Search code examples
javaspringspring-bootiframex-frame-options

X-Frame Options Spring Boot

So I'm trying to use configure an iframe on my Spring Boot application. However I'm struggling in getting the X-Frame-Options to ALLOW-From. Here's what I have for my html and spring security file.

HTML IFrame:

<div class="gridItem8">
<iframe src="https://www.youtube.com/watch?v=HV2LVEPrKGs&feature=emb_title" title="Halo Video"></iframe>
Security Config: 
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers().authenticated()
        .antMatchers( "/", "/about", "/signup", "/signUpForm",
            "/signUpFormError", "/login", "/logOut", "/ForgotPasswordPage", "/Forgot_Password",
            "/SignUp", "/registrationComplete").permitAll()
        .antMatchers("/LoggedInUser/**").hasAnyAuthority("ADMIN", "USER", "MODERATOR")
        .anyRequest().authenticated().and().csrf().disable().formLogin()
        .loginPage("/login").failureUrl("/login?error=true")
        .defaultSuccessUrl("/LoggedInUser/success")
        .usernameParameter("email")
        .passwordParameter("password")
        .and().logout()
        .logoutRequestMatcher(new AntPathRequestMatcher("/logOut"))
        .logoutSuccessUrl("/")
        .and()
        .headers()
        .frameOptions()
        .disable()
        .addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS",
                "ALLOW-FROM https://www.youtube.com/watch?v=HV2LVEPrKGs&feature=emb_title"));

Any help would be much appreciated. Thanks!

Solution

  • X-Frame-Options is an HTTP response header which is set by the server from which you are requesting the resource. It is used to indicate whether or not the browser should be allowed to render a page in an <frame> to avoid click-jacking attacks by ensuring that the content is not embedded into other sites.
    Please see the MDN docs about it: X-Frame-Options.

    So if a resource on youtube.com sets X-Frame-Options to DENY, then that resource is not allowed to render in an <frame>. If it is SAMEORIGIN, the resource can only be rendered in an <frame> on the same domain as the page itself. ALLOW-FROM uri is an obsolete directive that no longer works in modern browsers.

    If you want to embed a youtube video in your site, just use the share feature and copy the HTML code into your site, it should work, here's an example.