Menu
I have two web applications: web application (web-app) and report web. I want to embedded report web in web-app in a <iframe>. So it refused by Browser with the error:
X-Frame-Options: DENY
Any help?
571
To enable the ability to load the site in an iframe: In the left panel, click Settings, and then click Site SSL. Click the Allow site to be loaded in an iframe toggle.
The <iframe> tag specifies an inline frame. An inline frame is used to embed another document within the current HTML document. Tip: Use CSS to style the <iframe> (see example below).
An inline frame (iframe) is a HTML element that loads another HTML page within the document. It essentially puts another webpage within the parent page. They are commonly used for advertisements, embedded videos, web analytics and interactive content.
The value of X-Frame-options can be DENY (default), SAMEORIGIN, and ALLOW-FROM uri. According to Spring Security documentation you can tell Spring to overwrite the default behaviour adding your custom header that way:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("www.yourhostname.com"))))
...
}
and Spring shall append X-Frame-Options: ALLOW-FROM ... or
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
for X-Frame-Options: SAMEORIGIN or make it completely disable by
http.headers().frameOptions().disable()
EDIT (06.2020) - The X-Frame options are OBSOLETE:
"The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored."
https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options
so consider using content-security-policy:
<headers>
<content-security-policy policy-directives="frame-ancestors 'self'"/>
</headers>
If you are using Spring Security 4.x the following configuration will solve your problem (assuming the webapp runs on the same server address).
XML configuration:
<http>
<!-- ... -->
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
</http>
Java configuration:
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers().frameOptions().sameOrigin();
}
}
Disable Configuration
You could also just disable it, being aware of the security risk.
http.headers().frameOptions().disable();
Background Information
In Spring Security 3.2.0, security headers were introduced, but were disabled by default:
http://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/
In Spring Security 4.x the headers are enabled by default (for IFrames: X-Frame-Options: DENY):
"Spring Security 4.x has changed both the Java Configuration and XML Configuration to require explicit disabling of defaults."
http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html#m3to4-header
source: http://docs.spring.io/autorepo/docs/spring-security/4.0.x/reference/html/headers.html#headers-frame-options
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
