Good day
We are running Apache Tomcat 7.0.64 on Windows Server 2012 R2. Currently we
have an issue where an application page which we are using is being framed by
another and due to the default settings in the HTTP header security filter is
not being allowed to be displayed in Internet Explorer/
I have attempted to add the referring URI into the HTTP header security config
via the antiClickJackingUri parameter in the web.xml file located in
Tomcat\conf\ e.g:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>http://savanttools.com/test-frame/*</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
I wanted to confirm the syntax to be used for the URI as I am not able to find
any specification in the documentation. Using the above syntax does not work.
Interestingly when using <param-value>ALLOW-FROM
http://savanttools.com/test-frame/ </param-value> in the application specific
web.xml it does seem to work (at least when disabling the HTTP header security
at the top level web.xml.
Does anybody please have any advice or experience in this regard?
Thanks in advance
Ruan van Tonder
