Reputation: 245
Allow Web Page To Be Rendered Inside HTML Frame
I have two web applications: web application (web-app) and report web. I want to embedded report web in web-app in a <iframe>. So it refused by Browser with the error:
X-Frame-Options: DENY
Any help?
Upvotes: 15
Views: 23754
Answers (3)
Reputation: 8100
EDIT (06.2020) - The X-Frame options are OBSOLETE:
"The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored."
https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options
so consider using content-security-policy:
<headers>
<content-security-policy policy-directives="frame-ancestors 'self'"/>
</headers>
If you are using Spring Security 4.x the following configuration will solve your problem (assuming the webapp runs on the same server address).
XML configuration:
<http>
<!-- ... -->
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
</http>
Java configuration:
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers().frameOptions().sameOrigin();
}
}
Disable Configuration
You could also just disable it, being aware of the security risk.
http.headers().frameOptions().disable();
Background Information
In Spring Security 3.2.0, security headers were introduced, but were disabled by default:
http://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/
In Spring Security 4.x the headers are enabled by default (for IFrames: X-Frame-Options: DENY):
"Spring Security 4.x has changed both the Java Configuration and XML Configuration to require explicit disabling of defaults."
http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html#m3to4-header
Upvotes: 9
Reputation: 1
You can use
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
inside your <http> configuration in your security application context XML
Upvotes: 0
Reputation: 1104
The value of X-Frame-options can be DENY (default), SAMEORIGIN, and ALLOW-FROM uri. According to Spring Security documentation you can tell Spring to overwrite the default behaviour adding your custom header that way:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("www.yourhostname.com"))))
...
}
and Spring shall append X-Frame-Options: ALLOW-FROM ... or
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
for X-Frame-Options: SAMEORIGIN or make it completely disable by
http.headers().frameOptions().disable()
Upvotes: 19
Related Questions
- Spring security: allow a few pages to be displayed in iframe
- enable X-Frame-Options header in spring-boot application (without spring security)
- Disable X-FrameOptions response header for a URL Spring Security JAVA config
- Allow Iframe for all domains while using Spring Security
- X-Frame DENY in Spring security
- Exception in Spring Boot when changing configuration of X-Frame-Options to ALLOW-FROM
- How to add X-FRAME-OPTIONS to some pages in Spring Security headers (Spring version 4.2.0)?
- How to prevent frame injection (clickjacking) in java application?
- Iframe in Firefox with Spring Security
- Unsafe JavaScript attempt to access with frame