From f1da5522abc004f4608b951459fdb7ec89d72aa7 Mon Sep 17 00:00:00 2001 From: Jan Pavlicek <469355@mail.muni.cz> Date: Tue, 16 Jul 2024 18:09:20 +0200 Subject: [PATCH] feat: set x-frame-options to sameorigin instead to deny --- .../src/main/webapp/WEB-INF/web-context.xml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml index 0a03bf565..6738b4869 100644 --- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml +++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml @@ -134,6 +134,9 @@ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:access-denied-handler ref="oauthAccessDeniedHandler" /> <security:csrf disabled="true"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <!-- Userinfo endpoint --> @@ -147,6 +150,9 @@ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:expression-handler ref="oauthWebExpressionHandler" /> <security:csrf disabled="true"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <!-- Introspection endpoint --> @@ -163,6 +169,9 @@ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" /> <security:csrf disabled="true"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <!-- Dynamic registration endpoint --> @@ -176,6 +185,9 @@ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:expression-handler ref="oauthWebExpressionHandler" /> <security:csrf disabled="true"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <!-- Revocation endpoint --> @@ -192,6 +204,9 @@ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" /> <security:csrf disabled="true"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <!-- Device endpoint --> @@ -209,6 +224,9 @@ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:access-denied-handler ref="oauthAccessDeniedHandler" /> <security:csrf disabled="true"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <!-- JWK endpoint --> @@ -221,6 +239,9 @@ <security:custom-filter ref="logRequestFilter" after="FIRST"/> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:csrf disabled="true"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <!-- Well-known --> @@ -233,6 +254,9 @@ <security:custom-filter ref="logRequestFilter" after="FIRST"/> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:csrf disabled="true"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <!--Static resources --> @@ -244,6 +268,9 @@ <security:custom-filter ref="mdcFilter" before="FIRST"/> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:csrf disabled="true"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <!-- GUI --> @@ -255,6 +282,9 @@ <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> <security:expression-handler ref="oauthWebExpressionHandler" /> <security:csrf disabled="true"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <security:http auto-config="false" @@ -284,6 +314,9 @@ <security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/> <security:custom-filter ref="authProcFilters" before="LAST"/> <security:logout logout-url="/saml/logout"/> + <security:headers> + <security:frame-options policy="SAMEORIGIN"/> + </security:headers> </security:http> <security:authentication-manager id="clientAuthenticationManager"> -- GitLab