root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Avoid multiple X-Frame-Options headers 

XFrameOptionsHeaderWriter should not *add*, but *set* the
X-Frame-Options header. According to
https://tools.ietf.org/html/rfc7034#section-2.1, having
multiple values for the header is disallowed:

"There are three different values for the header field.
These values are mutually exclusive; that is, the header
field MUST be set to exactly one of the three values."

With this change, only the latest XFrameOptionsHeaderWriter
will remain.
This commit is contained in:
borlafu 2017-03-07 21:04:13 +01:00 committed by Rob Winch
parent d2524eadfc
commit 8a458eb9e1
2 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java
View File

@ -74,16 +74,22 @@ public final class XFrameOptionsHeaderWriter implements HeaderWriter {
this.allowFromStrategy = allowFromStrategy; this.allowFromStrategy = allowFromStrategy;
} }
/**
* Writes the X-Frame-Options header value, overwritting any previous value.
*
* @param request the servlet request
* @param response the servlet response
*/
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) { public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
if (XFrameOptionsMode.ALLOW_FROM.equals(frameOptionsMode)) { if (XFrameOptionsMode.ALLOW_FROM.equals(frameOptionsMode)) {
String allowFromValue = allowFromStrategy.getAllowFromValue(request); String allowFromValue = allowFromStrategy.getAllowFromValue(request);
if (allowFromValue != null) { if (allowFromValue != null) {
response.addHeader(XFRAME_OPTIONS_HEADER, response.setHeader(XFRAME_OPTIONS_HEADER,
XFrameOptionsMode.ALLOW_FROM.getMode() + " " + allowFromValue); XFrameOptionsMode.ALLOW_FROM.getMode() + " " + allowFromValue);
} }
} }
else { else {
response.addHeader(XFRAME_OPTIONS_HEADER, frameOptionsMode.getMode()); response.setHeader(XFRAME_OPTIONS_HEADER, frameOptionsMode.getMode());
} }
} }

13
web/src/test/java/org/springframework/security/web/header/writers/frameoptions/FrameOptionsHeaderWriterTests.java
View File

@ -108,4 +108,17 @@ public class FrameOptionsHeaderWriterTests {
assertThat(response.getHeader(XFrameOptionsHeaderWriter.XFRAME_OPTIONS_HEADER)) assertThat(response.getHeader(XFrameOptionsHeaderWriter.XFRAME_OPTIONS_HEADER))
.isEqualTo("SAMEORIGIN"); .isEqualTo("SAMEORIGIN");
} }
@Test
public void writeHeadersTwiceLastWins() {
writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN);
writer.writeHeaders(request, response);
writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.DENY);
writer.writeHeaders(request, response);
assertThat(response.getHeaderNames().size()).isEqualTo(1);
assertThat(response.getHeader(XFrameOptionsHeaderWriter.XFRAME_OPTIONS_HEADER))
.isEqualTo("DENY");
}
} }