How to disable 'X-Frame-Options' response

2019-01-08 11:29发布

站内问答 / Java
964 6 4

I have CKeditor on my jsp and whenever I upload something, the following error pops out:

 Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.

I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http> tags

6条回答
爱情/是我丢掉的垃圾
2楼-- · 2019-01-08 11:39

By default X-Frame-Options is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config

<http>    
    <headers>
        <frame-options policy="SAMEORIGIN"/>
    </headers>
</http>

Here are available options for policy

  • DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
  • SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
  • ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

For more information take a look here.

And here to check how you can configure the headers using either XML or Java configs.

Note, that you might need also to specify appropriate strategy, based on needs.

查看更多
0人赞 添加讨论(0) 举报
We Are One
3楼-- · 2019-01-08 11:39

If you're using Spring Boot, the simplest way to disable the Spring Security default headers is to use security.headers.* properties. In particular, if you want to disable the X-Frame-Options default header, just add the following to your application.properties:

security.headers.frame=false

There is also security.headers.cache, security.headers.content-type, security.headers.hsts and security.headers.xss properties that you can use. For more information, take a look at SecurityProperties.

查看更多
0人赞 添加讨论(0) 举报
祖国的老花朵
4楼-- · 2019-01-08 11:44

Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN. If you are using the Java Configs (Spring Boot) and would like to allow the X-Frame-Options: SAMEORIGIN, then you would need to use the following.

For older Spring Security versions:

http
   .headers()
       .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

For newer versions like Spring Security 4.0.2:

http
   .headers()
      .frameOptions()
         .sameOrigin();
查看更多
0人赞 添加讨论(0) 举报
冷血范
5楼-- · 2019-01-08 11:52

If you're using Java configs instead of XML configs, put this in your "WebSecurityConfigurerAdapter.configure(HttpSecurity http)" method:

http.headers().frameOptions().disable();
查看更多
0人赞 添加讨论(0) 举报
男人必须洒脱
6楼-- · 2019-01-08 11:53

If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
   WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .headers().disable()
      ...;
  }
}
查看更多
0人赞 添加讨论(0) 举报
太酷不给撩
7楼-- · 2019-01-08 11:54

If using XML configuration you can use 

<beans xmlns="http://www.springframework.org/schema/beans" 
       xmlns:security="http://www.springframework.org/schema/security"> 
<security:http>
    <security:headers>
         <security:frame-options disabled="true"></security:frame-options>
    </security:headers>
</security:http>
</beans>
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)