You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ruan van Tonder <ru...@gm.com> on 2016/05/05 10:58:40 UTC
antiClickJackingUri syntax in HTTP header security filter definition
Good day
We are running Apache Tomcat 7.0.64 on Windows Server 2012 R2. Currently we have an issue where an application page which we are using is being framed by another and due to the default settings in the HTTP header security filter is not being allowed to be displayed in Internet Explorer/
I have attempted to add the referring URI into the HTTP header security config via the antiClickJackingUri parameter in the web.xml file located in Tomcat\conf\ e.g:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>http://savanttools.com/test-frame/*</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
I wanted to confirm the syntax to be used for the URI as I am not able to find any specification in the documentation. Using the above syntax does not work.
Interestingly when using <param-value>ALLOW-FROM http://savanttools.com/test-frame/ </param-value> in the application specific web.xml it does seem to work (at least when disabling the HTTP header security at the top level web.xml.
Does anybody please have any advice or experience in this regard?
Thanks in advance
Ruan van Tonder
Re: antiClickJackingUri syntax in HTTP header security filter definition
Posted by Violeta Georgieva <mi...@gmail.com>.
Hi,
2016-05-05 13:58 GMT+03:00 Ruan van Tonder <ru...@gm.com>:
>
> Good day
>
> We are running Apache Tomcat 7.0.64 on Windows Server 2012 R2. Currently
we have an issue where an application page which we are using is being
framed by another and due to the default settings in the HTTP header
security filter is not being allowed to be displayed in Internet Explorer/
>
> I have attempted to add the referring URI into the HTTP header security
config via the antiClickJackingUri parameter in the web.xml file located in
Tomcat\conf\ e.g:
>
> <filter>
> <filter-name>httpHeaderSecurity</filter-name>
>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
> <async-supported>true</async-supported>
> <init-param>
> <param-name>antiClickJackingEnabled</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>antiClickJackingOption</param-name>
> <param-value>ALLOW-FROM</param-value>
> </init-param>
> <init-param>
> <param-name>antiClickJackingUri</param-name>
> <param-value>http://savanttools.com/test-frame/*
</param-value>
> </init-param>
> <init-param>
> <param-name>blockContentTypeSniffingEnabled</param-name>
> <param-value>false</param-value>
> </init-param>
> </filter>
>
This configuration is OK
> I wanted to confirm the syntax to be used for the URI as I am not able to
find any specification in the documentation. Using the above syntax does
not work.
There was an issue in
the org.apache.catalina.filters.HttpHeaderSecurityFilter
I fixed it.
If you can test against Tomcat 7 trunk it will be very helpful.
The fix will be available in Tomcat 7.0.70 onwards.
Regards,
Violeta
> Interestingly when using <param-value>ALLOW-FROM
http://savanttools.com/test-frame/ </param-value> in the application
specific web.xml it does seem to work (at least when disabling the HTTP
header security at the top level web.xml.
>
> Does anybody please have any advice or experience in this regard?
>
> Thanks in advance
> Ruan van Tonder
>