-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 3/26/20 12:54, James H. H. Lampert wrote: > On 3/24/20 2:25 PM, Christopher Schultz wrote: >> I don't understand exactly how X-Frame-Options (which is what >> the HttpHeaderSecurityFilter is configuring) is being used by >> your application, but I believe X-Frame-Options is essentially >> being replaced by various features of Content-Security-Policy. >> You may want to talk to your engineers about using one of those >> versus the other; you may want to discontinue using the "anti >> click-jacking" features of this filter altogether in favor of >> something else. > > Dear Mr. Schultz (et al): > > Thanks. Our webapp team combined your answer with what we could > glean from the customer's security audit, and has come up with a > solution involving a Content-Security-Policy, using a class he > added to the webapp. I'm not sure, but I think it can be built into > the WAR file. Glad to hear they have a fix. > On our own Tomcat server, we have another webapp that cannot have > clickjack protection via a HTTPHeaderSecurity filter with >> >> <param-name>antiClickJackingOption</param-name> >> >> >> <param-value>SAMEORIGIN</param-value> >> > > because it's specifically designed to go into a frame, in a page > served from an entirely different server. Is that what the > "ALLOW-FROM" option and the associated "antiClickJackingUri" > parameter are for? I would encourage you to read the Tomcat documentation and then go down the rabbit hole a little bit by reading about the various headers Tomcat is setting. The Tomcat documentation doesn't cover what all those thing do; just what effect the config has on the headers. You will learn better that they do by reading the header documentation yourself than if I try to summarize here for you. Sorry, I know that RTFM isn't the most convenient response, but I think it's the best one for you. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5+HKoACgkQHPApP6U8 pFjNcxAAgnvS0ki7uf1aFtESZaikCd3LAU4Hl4hRvUFhcSk0vvuSoG+Hqu4snvTM TPUblS2o95wbmlJlBqwPstYEL7mRVHCNUqXoe0dVTHc9vcz9Cgacs7xd3PR7B1nT FEOZnuZSIxTQCOgwlZhx2Lvv/HHp3ja8NlEKs2mxVtb1N1PoxDMhIL2tSFHzTiJf avHgS+wlc2872bum0IFrAIX619toKiVBARRVadXLKB7nXW9ToSkyV0tE78+n1BBI /dPy3HcheoRluFkLTfZEwv6Mg1fPP2t//FW09h4aLNGlc6/C3jXi1b0P8sAyj8xz A18psq0Y3qXw32ymSmEtOJSdEgU9ogGn52nR7aUDtAA6ccUTRJdXT7iMON4w+njb FwBEkWtImbZGAcVuWhxLt1Ji0xJ7/XLRGokiIcc7iBji1VEo9TLk3eSmPaT/pZYz aRg/vGw6PJJAUMoCHG2zDNXK01GMujUi0JCv2Awav4b6fs0YsbkfuF7d28eesH76 227E8AthiVE7YfIZPY++UtVtuvJNls7ii6QpRf5Tdu+AGDO5JDWh+FOgvDnUFzUY J/hHYtFrPD/hxwyaaU/2t8ZAjJkSGzdu7A/eDidTXKdKAsvUBsoOO1w1o0RQTpE8 QU+fLT6tfO4vA6VvOM8OtvOvp+h91WUvoNk+bCj5IxIqib3F+T8= =jgb7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
