Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Add check to see if return value is DENY

Originally, if the return from getAllowFromValue(request) is "DENY",
then the X-Frame-Options header's value will proceed to be written as
"ALLOW FROM DENY" - an invalid value.

This commit adds a condition in the if clause that checks whether
allowFromValue is "DENY". This way, the X-Frame-Options header will be
written as "ALLOW FROM origin" or "DENY".
Nathan Wong 8 years ago
parent
bed4ec7d18
commit
02a78b17b9
1 changed files with 1 additions and 1 deletions
Unified View Show Diff Stats
  1. 1 1
      web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java

+ 1 - 1
web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java
View File 

@@ -83,7 +83,7 @@ public final class XFrameOptionsHeaderWriter implements HeaderWriter {
 
 	public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
 
 	public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
 
 		if (XFrameOptionsMode.ALLOW_FROM.equals(frameOptionsMode)) {
 
 		if (XFrameOptionsMode.ALLOW_FROM.equals(frameOptionsMode)) {
 
 			String allowFromValue = allowFromStrategy.getAllowFromValue(request);
 
 			String allowFromValue = allowFromStrategy.getAllowFromValue(request);
 
-			if (allowFromValue != null) {
 
+			if (allowFromValue != null && !allowFromValue.equals(XFrameOptionsMode.DENY.getMode())) {
 
 				response.setHeader(XFRAME_OPTIONS_HEADER,
 
 				response.setHeader(XFRAME_OPTIONS_HEADER,
 
 						XFrameOptionsMode.ALLOW_FROM.getMode() + " " + allowFromValue);
 
 						XFrameOptionsMode.ALLOW_FROM.getMode() + " " + allowFromValue);
 
 			}
 
 			}