Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Avoid multiple X-Frame-Options headers

XFrameOptionsHeaderWriter should not *add*, but *set* the
X-Frame-Options header. According to
https://tools.ietf.org/html/rfc7034#section-2.1, having
multiple values for the header is disallowed:

"There are three different values for the header field.
These values are mutually exclusive; that is, the header
field MUST be set to exactly one of the three values."

With this change, only the latest XFrameOptionsHeaderWriter
will remain.
borlafu 8 years ago
parent
d2524eadfc
commit
8a458eb9e1
2 changed files with 21 additions and 2 deletions
Split View Show Diff Stats
  1. 8 2
      web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java
  2. 13 0
      web/src/test/java/org/springframework/security/web/header/writers/frameoptions/FrameOptionsHeaderWriterTests.java

+ 8 - 2
web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java
View File 

@@ -74,16 +74,22 @@ public final class XFrameOptionsHeaderWriter implements HeaderWriter {
 
 		this.allowFromStrategy = allowFromStrategy;
 
 	}
 
 
+	/**
 
+	 * Writes the X-Frame-Options header value, overwritting any previous value.
 
+	 *
 
+	 * @param request the servlet request
 
+	 * @param response the servlet response
 
+	 */
 
 	public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
 
 		if (XFrameOptionsMode.ALLOW_FROM.equals(frameOptionsMode)) {
 
 			String allowFromValue = allowFromStrategy.getAllowFromValue(request);
 
 			if (allowFromValue != null) {
 
-				response.addHeader(XFRAME_OPTIONS_HEADER,
 
+				response.setHeader(XFRAME_OPTIONS_HEADER,
 
 						XFrameOptionsMode.ALLOW_FROM.getMode() + " " + allowFromValue);
 
 			}
 
 		}
 
 		else {
 
-			response.addHeader(XFRAME_OPTIONS_HEADER, frameOptionsMode.getMode());
 
+			response.setHeader(XFRAME_OPTIONS_HEADER, frameOptionsMode.getMode());
 
 		}
 
 	}

+ 13 - 0
web/src/test/java/org/springframework/security/web/header/writers/frameoptions/FrameOptionsHeaderWriterTests.java
View File 

@@ -108,4 +108,17 @@ public class FrameOptionsHeaderWriterTests {
 
 		assertThat(response.getHeader(XFrameOptionsHeaderWriter.XFRAME_OPTIONS_HEADER))
 
 				.isEqualTo("SAMEORIGIN");
 
 	}
 
+
 
+	@Test
 
+	public void writeHeadersTwiceLastWins() {
 
+		writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN);
 
+		writer.writeHeaders(request, response);
 
+
 
+		writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.DENY);
 
+		writer.writeHeaders(request, response);
 
+
 
+		assertThat(response.getHeaderNames().size()).isEqualTo(1);
 
+		assertThat(response.getHeader(XFrameOptionsHeaderWriter.XFRAME_OPTIONS_HEADER))
 
+				.isEqualTo("DENY");
 
+	}
 
 }