On Wed, Oct 6, 2021 at 8:58 PM Konstantin Kolinko <knst.koli...@gmail.com> wrote:
> ср, 6 окт. 2021 г. в 13:10, Martin Knoblauch <kn...@knobisoft.de>: > > > > Hi, > > > > sorry for asking this likely stupid question. This is with Apache HTTPD > 2.4.48. > > > > I want to change the value of the X-Frame-Options response header from > DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53. > > > > Naively, because the mod_header documentation says "The response header > is set, replacing any previous header with this name. The value may be a > format string.", I added a single > > > > Header always set X-Frame-Options SAMEORIGIN > > > > to the VirtualHost section of the httpd configuration. To my surprise my > browser (FF and Chrome) has two headers now, one with DENY, one with > SAMEORIGIN. And falls back to DENY :-( > > > > When I add an unset before the set, it works > > > > Header unset X-Frame-Options > > Header always set X-Frame-Options SAMEORIGIN > > > > Is my understanding of the mod_header documentation wrong, or do I miss > somethiong subtle? > > See my recent answer in "X-Frame-Options and security" thread. > https://httpd.markmail.org/message/pwsrgbj7pjy4qiei > > All is in the docs, if you read carefully, but I agree that it is subtle. > https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header > > Essentially, (as far as I am reading it), "onsuccess" and "always" are > just names of two separate tables (lists) of headers that exist in > parallel. > > <quote> > it does not offer any "normalized" single list of headers > </quote> > > Best regards, > Konstantin Kolinko > > Hi Konstantin, OK, so I apparently did not read carefully enough and got the onsuccess/always meaning wrong. Subtle indeed :-) Anyway, I solved my problem at the root and convinced Spring Websecurity to the "right" header value in the first place. Cheers Martin -- ------------------------------------------------------ Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de