Hi,
Tomcat version:
apache-tomcat-8.0.28
Issue:
I am trying to open an external url in an iframe in our application. The
external url has X-FRAME-OPTIONS set to DENY in their jsp code which I am
trying to override using filters in web.xml
Here’s the code where I added the filters in web.xml
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled<param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>ipaddress2</param-value>
</init-param>
</filter>
The external application is set up on the same domain but on a different box
having a different ip address <ipaddress2> while our application is running on
<ipaddress1>.
As per the definition of the filters, now all X-FRAME-OPTIONS should be
replaced by ALLOW-FROM, but I still get an error “Refused to display
'https://<ipaddress1>:<port>/xyz/' in a frame because it set 'X-Frame-Options'
to 'DENY’."
Can someone help me with this? Is there anything wrong with the syntax in the
web.xml.
NOTE: I also tried commenting out the following lines in web.xml as per an
email thread I found on apache mailing list.
<!--
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
-->
