Mahalo, I will review that reference. On Tue, Feb 10, 2026 at 9:17 PM Thomas Hoffmann (Speed4Trade GmbH) via users <[email protected]> wrote:
> Hello, > > > -----Ursprüngliche Nachricht----- > > Von: Baron Fujimoto <[email protected]> > > Gesendet: Dienstag, 10. Februar 2026 18:17 > > An: Tomcat Users <[email protected]> > > Betreff: Set "X-Frame-Options" SAMEORIGIN to ALWAYS ? > > > > We're running Apereo's CAS 7 using Tomcat 11. We have a set of related > > applications integrated with CAS that have been reporting the following > errors > > to us. (We have not had similar reports from the myriad other > applications > > also integrated with the CAS service) > > > > ===== > > Cookie "" has been rejected as third-party. > > Request to access cookie or storage on "‹URL›" was blocked because we are > > blocking all third-party storage access requests and Enhanced Tracking > > Protection is enabled. > > Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; > > samesite=none; secure; httponly" has been rejected as third-party. > > Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; > > expires=Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" > > has been rejected as third-party. > > Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; > > samesite=none; secure; httponly" has been rejected as third-party. > > Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; > > expires=Mon, 09 Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" > > has been rejected as third-party. > > The loading of " > > > https://urldefense.com/v3/__https://cas.example.edu/cas/login?service=https*3*2F*2Fbanner.exampl__;JSUl!!PvDODwlR4mBZyAb0!QLGopH--tzTpV8rEtSUvSuVU21LJVOC394fqUg3TV22nibiiD5D3cku6JHCKfTZpcA-dfKv-8KQb9M3ODBY$ > > e.edu%3A9000%2FBannerAdmin.ws&2Fi > > spring cas security check" in a frame is denied by "X-Frame-Options" > > directive set to "deny". > > ===== > > > > They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. How > > can we set this for Tomcat? > > > > It's possible this is a red herring, or not the best approach to our > situation, so > > we're also completely open to other ideas or suggestions. > > > > -- > > Baron Fujimoto <[email protected]> ::: UH Information Technology Services > > minutas cantorum, minutas balorum, minutas carboratum descendus > > pantorum > > > The X-FRAME-OPTIONS can be set via the security filter: > > https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html*HTTP_Header_Security_Filter__;Iw!!PvDODwlR4mBZyAb0!QLGopH--tzTpV8rEtSUvSuVU21LJVOC394fqUg3TV22nibiiD5D3cku6JHCKfTZpcA-dfKv-8KQbM20BZuw$ > > The word "always" might originate from the Apache (http-Server) > configuration, e.g.: > Header always set X-Frame-Options "SAMEORIGIN" > > In Tomcat, you can use the security filter mentioned above. > > Greetings, > Thomas > > >
