I have CKeditor on my jsp and whenever I upload something, the following error pops out:
Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.
I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http>
tags
By default X-Frame-Options
is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
Here are available options for policy
For more information take a look here.
And here to check how you can configure the headers using either XML or Java configs.
Note, that you might need also to specify appropriate strategy
, based on needs.
What is the namespace for this
http
andheaders
tags?Is it possible to apply this as the controller method level?
If you need to configure it within WebSecurityConfigurerAdapter's configure method, write the following code:
http.headers().frameOptions().sameOrigin();
@vtor I use spring 3.1 and this is not supported, any workaround you might suggest?
@Spring docs.spring.io/spring-security/site/docs/current/reference/html/… it is supported. Could you please share what you have tried and didn't work?