X-Frame-Options: Formspider under Tomcat9

Question

Hello Team, We are trying to integrate FS app infot another java app which is running on other port. That means that while using i-frame we get X-Frame-Options Header which deny such an action.

According to the documentation of Tomcat9 we added some params to the Tomcat config file and they work for other apps:

  <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>false</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>DENY</param-value>
        </init-param>

but seems that somewhere in the application .war file this is overrided because it always returns

$ curl -I http://ip:port/formspider2/main.html?name=CL0060305\&sid=784778

HTTP/1.1 200  Cache-Control: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie:
JSESSIONID=9FDC1AD6D451343F28A34E21B068FD5B;
Path=/formspider2; HttpOnly

X-Frame-Options: SAMEORIGIN

Content-Type:
text/html;charset=ISO-8859-1
Transfer-Encoding: chunked Date: Thu,
17 Jan 2019 14:47:04 GMT

Is there any way to make it work in frame?

Answer 1

1

Hi Anatoly,

You are right that SAMEORIGIN header is set under the hood as a security restriction.

It is configured inside "main.jsp" file at the root level. You can modify this file according to your requirements.

Kind Regards, Serdar

link

answered 18 Jan, 05:59

Serdar ♦♦
100k●4
accept rate: 12%

thanks! that worked

(18 Jan, 07:14) viktorK

X-Frame-Options: Formspider under Tomcat9

Follow this question

Related questions