feat: set x-frame-options to sameorigin instead to deny

f1da5522 · Jan Pavlíček · 7d128730 · f1da5522
Verified Commit f1da5522 authored 11 months ago by Jan Pavlíček
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -134,6 +134,9 @@
        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:access-denied-handler ref="oauthAccessDeniedHandler" />
        <security:csrf disabled="true"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <!-- Userinfo endpoint -->
@@ -147,6 +150,9 @@
        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:expression-handler ref="oauthWebExpressionHandler" />
        <security:csrf disabled="true"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <!-- Introspection endpoint -->
@@ -163,6 +169,9 @@
        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
        <security:csrf disabled="true"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <!-- Dynamic registration endpoint -->
@@ -176,6 +185,9 @@
        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:expression-handler ref="oauthWebExpressionHandler" />
        <security:csrf disabled="true"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <!-- Revocation endpoint -->
@@ -192,6 +204,9 @@
        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
        <security:csrf disabled="true"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <!-- Device endpoint -->
@@ -209,6 +224,9 @@
        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:access-denied-handler ref="oauthAccessDeniedHandler" />
        <security:csrf disabled="true"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <!-- JWK endpoint -->
@@ -221,6 +239,9 @@
        <security:custom-filter ref="logRequestFilter" after="FIRST"/>
        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:csrf disabled="true"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <!-- Well-known -->
@@ -233,6 +254,9 @@
        <security:custom-filter ref="logRequestFilter" after="FIRST"/>
        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:csrf disabled="true"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <!--Static resources -->
@@ -244,6 +268,9 @@
        <security:custom-filter ref="mdcFilter" before="FIRST"/>
        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:csrf disabled="true"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <!-- GUI -->
@@ -255,6 +282,9 @@
        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <security:expression-handler ref="oauthWebExpressionHandler" />
        <security:csrf disabled="true"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <security:http auto-config="false"
@@ -284,6 +314,9 @@
        <security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
        <security:custom-filter ref="authProcFilters" before="LAST"/>
        <security:logout logout-url="/saml/logout"/>
+        <security:headers>
+            <security:frame-options policy="SAMEORIGIN"/>
+        </security:headers>
    </security:http>

    <security:authentication-manager id="clientAuthenticationManager">