From f1da5522abc004f4608b951459fdb7ec89d72aa7 Mon Sep 17 00:00:00 2001
From: Jan Pavlicek <469355@mail.muni.cz>
Date: Tue, 16 Jul 2024 18:09:20 +0200
Subject: [PATCH] feat: set x-frame-options to sameorigin instead to deny
---
.../src/main/webapp/WEB-INF/web-context.xml | 33 +++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
index 0a03bf565..6738b4869 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -134,6 +134,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Userinfo endpoint -->
@@ -147,6 +150,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Introspection endpoint -->
@@ -163,6 +169,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Dynamic registration endpoint -->
@@ -176,6 +185,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Revocation endpoint -->
@@ -192,6 +204,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Device endpoint -->
@@ -209,6 +224,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- JWK endpoint -->
@@ -221,6 +239,9 @@
<security:custom-filter ref="logRequestFilter" after="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Well-known -->
@@ -233,6 +254,9 @@
<security:custom-filter ref="logRequestFilter" after="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!--Static resources -->
@@ -244,6 +268,9 @@
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- GUI -->
@@ -255,6 +282,9 @@
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<security:http auto-config="false"
@@ -284,6 +314,9 @@
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
<security:custom-filter ref="authProcFilters" before="LAST"/>
<security:logout logout-url="/saml/logout"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<security:authentication-manager id="clientAuthenticationManager">
--
GitLab