Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to disable 'X-Frame-Options' response header in Spring Security?

Tags:

java

spring

spring-boot

x-frame-options

spring-security

I have CKeditor on my jsp and whenever I upload something, the following error pops out:

 Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.

I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http> tags

like image 594
Bravo Avatar asked Feb 21 '15 14:02

Bravo

People also ask

How do I remove X-frame-options from response header?

You can remove the HTTP header X-Frame-Options: SAMEORIGIN from WordPress by removing the send_frame_options_header function from the admin_init and login_init hooks.

What is HTTP headers () frameOptions ()?

http .headers(headers -> headers .frameOptions(frameOptions -> frameOptions .sameOrigin() ) ) This tells the browser that the page can only be displayed in a frame on the same origin as the page itself.

What is X-frame-Options deny?

X-Frame-Options:DENY is a header that forbids a page from being displayed in a frame. If your server is configured to send this heading, your sign-on screen will not be allowed to load within the embed codes provided by Credo, which use the iframe HTML element.

1 Answers

By default X-Frame-Options is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config

<http>         <headers>         <frame-options policy="SAMEORIGIN"/>     </headers> </http>

Here are available options for policy

  • DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
  • SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
  • ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

For more information take a look here.

And here to check how you can configure the headers using either XML or Java configs.

Note, that you might need also to specify appropriate strategy, based on needs.

like image 156
vtor Avatar answered Sep 18 '22 01:09

vtor
Sign in to Comment

Related questions

Where can I download Spring Framework jars without using Maven?
CountDownLatch vs. Semaphore
Variable's scope in a switch case [duplicate]
maven-site plugins 3.3 java.lang.ClassNotFoundException: org.apache.maven.doxia.siterenderer.DocumentContent
How to disable spring security for particular url
How to get default ZoneOffset in java8?
Can I multiply strings in Java to repeat sequences? [duplicate]
Why cannot cast Integer to String in java?
How to convert a byte to its binary string representation
Difference between a SOAP message and a WSDL?
How to convert a multipart file to File?
Best way to encode text data for XML in Java?
How to make a JTable non-editable
Wrong Manifest.mf in IntelliJ IDEA created .jar
Open a link in browser with java button? [duplicate]
Default garbage collector for Java 8
How to Convert Int to Unsigned Byte and Back
Best practice for passing many arguments to method?
Java 8, Streams to find the duplicate elements
The following classes could not be instantiated: - android.support.v7.widget.Toolbar

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!