Baron,
On 2/10/26 12:16 PM, Baron Fujimoto wrote:
We're running Apereo's CAS 7 using Tomcat 11. We have a set of related
applications integrated with CAS that have been reporting the following
errors to us. (We have not had similar reports from the myriad other
applications also integrated with the CAS service)
=====
Cookie "" has been rejected as third-party.
Request to access cookie or storage on "‹URL›" was blocked because we are
blocking all third-party storage access requests and Enhanced Tracking
Protection is enabled.
Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT;
samesite=none; secure; httponly" has been rejected as third-party.
Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09
Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected
as third-party.
Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT;
samesite=none; secure; httponly" has been rejected as third-party.
Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09
Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been rejected
as third-party.
The loading of "
https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.example.edu%3A9000%2FBannerAdmin.ws&2Fi
spring cas security check" in a frame is denied by "X-Frame-Options"
directive set to "deny".
=====
They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. How can
we set this for Tomcat?
Note that you can set SAMEORIGIN but the value ALWAYS isn't a thing.
Maybe they meant "ALWAYS set the header value to SAMEORIGIN"?
It's possible this is a red herring, or not the best approach to our
situation, so we're also completely open to other ideas or suggestions.
Thomas Hoffmann has already replied with correct information, but I
would advise you to look at Content Security Policy (CSP) which is a
much more modern standard for thing kind of thing.
For example, it allows *very* fine-grained control over frame ancestor
behavior using the frame-ancestors directive, rather than the very
coarse-grained settings for X-Frame-Options.
Tomcat doesn't have a valve/filter for setting CSP, but OWASP has one. I
just read the code, and it's awful. I won't even bother giving you a
reference to it.
If you're interested in using CSP instead (which I'd recommend), write
back and I'll see what I can find.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
