You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by mb...@apache.org on 2017/10/25 12:56:01 UTC

svn commit: r1813276 - in /ofbiz/ofbiz-framework/trunk/framework/webapp: dtd/site-conf.xsd src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Author: mbrohl
Date: Wed Oct 25 12:56:01 2017
New Revision: 1813276

URL: http://svn.apache.org/viewvc?rev=1813276&view=rev
Log:
Fixed: X-Frame-Options configuration is not working
(OFBIZ-9891)

This fixes a bug where the configuration attribute in the view-map 
differs from what is read in the configuration handler. 

Aditionally,
a new option "none" is introduced. If it is set, no X-Frame-Options 
header will be set.

Modified:
    ofbiz/ofbiz-framework/trunk/framework/webapp/dtd/site-conf.xsd
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/dtd/site-conf.xsd
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/dtd/site-conf.xsd?rev=1813276&r1=1813275&r2=1813276&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/dtd/site-conf.xsd (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/dtd/site-conf.xsd Wed Oct 25 12:56:01 2017
@@ -782,7 +782,7 @@ under the License.
                 </xs:restriction>
             </xs:simpleType>
         </xs:attribute>
-        <xs:attribute name="x-frame-option" default="sameorigin">
+        <xs:attribute name="x-frame-options" default="sameorigin">
             <xs:annotation>
                 <xs:documentation>
                     Provides clickjacking protection by instructing browsers that this page should not be placed within a frame. 
@@ -799,6 +799,7 @@ under the License.
                     <xs:enumeration value="deny"/>
                     <xs:enumeration value="sameorigin"/>
                     <xs:enumeration value="allow-from"/>
+                    <xs:enumeration value="none"/>
                 </xs:restriction>
             </xs:simpleType>
         </xs:attribute>

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1813276&r1=1813275&r2=1813276&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Wed Oct 25 12:56:01 2017
@@ -952,7 +952,9 @@ public class RequestHandler {
         String xFrameOption = viewMap.xFrameOption;
         // default to sameorigin
         if (UtilValidate.isNotEmpty(xFrameOption)) {
-            resp.addHeader("x-frame-options", xFrameOption);
+            if(!"none".equals(xFrameOption)) {
+                resp.addHeader("x-frame-options", xFrameOption);
+            }
         } else {
             resp.addHeader("x-frame-options", "sameorigin");
         }