You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Oscar Besga Arcauz <ob...@isdefe.es> on 2012/12/12 12:34:12 UTC

[FYI] X-Frame-Options deny Header

Hi Wickers


In my Wicket app, I had another filter, prior to wicket app, that used to add headers to every request to the webapp. 
One of this headers was X-Frame-Options with value deny, which prevents pages and elements to be used into an <iframe>; its recommended for security reasons (XSS and 
CSRF )

In some forms, however, it blocked updates and inner-reloads (specially when a file upload was involved); it has been a little knigthmare to find what was going on.

So I removed this header, setting it only in wicket pages

I hope you find it useful.



 
    > > > Oscar Besga Arcauz  < < < 
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org