Skip to content
Snippets Groups Projects

feat: set x-frame-options to sameorigin instead to deny

Merged feat: set x-frame-options to sameorigin instead to deny
xpavlic/sameorigin_header into main
Merged Jan Pavlíček requested to merge xpavlic/sameorigin_header into main
Compare
and
1 file
+ 33
0
Compare changes
  • Side-by-side
  • Inline
perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+ 33
0
@@ -134,6 +134,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<!-- Userinfo endpoint -->
@@ -147,6 +150,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<!-- Introspection endpoint -->
@@ -163,6 +169,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<!-- Dynamic registration endpoint -->
@@ -176,6 +185,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<!-- Revocation endpoint -->
@@ -192,6 +204,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<!-- Device endpoint -->
@@ -209,6 +224,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<!-- JWK endpoint -->
@@ -221,6 +239,9 @@
<security:custom-filter ref="logRequestFilter" after="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<!-- Well-known -->
@@ -233,6 +254,9 @@
<security:custom-filter ref="logRequestFilter" after="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<!--Static resources -->
@@ -244,6 +268,9 @@
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<!-- GUI -->
@@ -255,6 +282,9 @@
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<security:http auto-config="false"
@@ -284,6 +314,9 @@
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
<security:custom-filter ref="authProcFilters" before="LAST"/>
<security:logout logout-url="/saml/logout"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http>
<security:authentication-manager id="clientAuthenticationManager">