Hi, 2016-05-05 13:58 GMT+03:00 Ruan van Tonder <ruan.vanton...@gm.com>: > > Good day > > We are running Apache Tomcat 7.0.64 on Windows Server 2012 R2. Currently we have an issue where an application page which we are using is being framed by another and due to the default settings in the HTTP header security filter is not being allowed to be displayed in Internet Explorer/ > > I have attempted to add the referring URI into the HTTP header security config via the antiClickJackingUri parameter in the web.xml file located in Tomcat\conf\ e.g: > > <filter> > <filter-name>httpHeaderSecurity</filter-name> > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> > <async-supported>true</async-supported> > <init-param> > <param-name>antiClickJackingEnabled</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>antiClickJackingOption</param-name> > <param-value>ALLOW-FROM</param-value> > </init-param> > <init-param> > <param-name>antiClickJackingUri</param-name> > <param-value>http://savanttools.com/test-frame/* </param-value> > </init-param> > <init-param> > <param-name>blockContentTypeSniffingEnabled</param-name> > <param-value>false</param-value> > </init-param> > </filter> >
This configuration is OK > I wanted to confirm the syntax to be used for the URI as I am not able to find any specification in the documentation. Using the above syntax does not work. There was an issue in the org.apache.catalina.filters.HttpHeaderSecurityFilter I fixed it. If you can test against Tomcat 7 trunk it will be very helpful. The fix will be available in Tomcat 7.0.70 onwards. Regards, Violeta > Interestingly when using <param-value>ALLOW-FROM http://savanttools.com/test-frame/ </param-value> in the application specific web.xml it does seem to work (at least when disabling the HTTP header security at the top level web.xml. > > Does anybody please have any advice or experience in this regard? > > Thanks in advance > Ruan van Tonder >
