Avoid multiple X-Frame-Options headers

borlafu · Rob Winch · commit 8a458eb9e1cf · 2017-03-08T15:49:18.000-06:00
XFrameOptionsHeaderWriter should not *add*, but *set* the X-Frame-Options header. According to https://tools.ietf.org/html/rfc7034#section-2.1, having multiple values for the header is disallowed: "There are three different values for the header field. These values are mutually exclusive; that is, the header field MUST be set to exactly one of the three values." With this change, only the latest XFrameOptionsHeaderWriter will remain.
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java
@@ -74,16 +74,22 @@ public XFrameOptionsHeaderWriter(AllowFromStrategy allowFromStrategy) {
 		this.allowFromStrategy = allowFromStrategy;
 	}
 
+	/**
+	 * Writes the X-Frame-Options header value, overwritting any previous value.
+	 *
+	 * @param request the servlet request
+	 * @param response the servlet response
+	 */
 	public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
 		if (XFrameOptionsMode.ALLOW_FROM.equals(frameOptionsMode)) {
 			String allowFromValue = allowFromStrategy.getAllowFromValue(request);
 			if (allowFromValue != null) {
-				response.addHeader(XFRAME_OPTIONS_HEADER,
+				response.setHeader(XFRAME_OPTIONS_HEADER,
 						XFrameOptionsMode.ALLOW_FROM.getMode() + " " + allowFromValue);
 			}
 		}
 		else {
-			response.addHeader(XFRAME_OPTIONS_HEADER, frameOptionsMode.getMode());
+			response.setHeader(XFRAME_OPTIONS_HEADER, frameOptionsMode.getMode());
 		}
 	}
 
diff --git a/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/FrameOptionsHeaderWriterTests.java b/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/FrameOptionsHeaderWriterTests.java
@@ -108,4 +108,17 @@ public void writeHeadersSameOrigin() {
 		assertThat(response.getHeader(XFrameOptionsHeaderWriter.XFRAME_OPTIONS_HEADER))
 				.isEqualTo("SAMEORIGIN");
 	}
+
+	@Test
+	public void writeHeadersTwiceLastWins() {
+		writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN);
+		writer.writeHeaders(request, response);
+
+		writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.DENY);
+		writer.writeHeaders(request, response);
+
+		assertThat(response.getHeaderNames().size()).isEqualTo(1);
+		assertThat(response.getHeader(XFrameOptionsHeaderWriter.XFRAME_OPTIONS_HEADER))
+				.isEqualTo("DENY");
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -74,16 +74,22 @@ public XFrameOptionsHeaderWriter(AllowFromStrategy allowFromStrategy) {`
`74`	`74`	`this.allowFromStrategy = allowFromStrategy;`
`75`	`75`	`}`
`76`	`76`
	`77`	`+ /**`
	`78`	`+ * Writes the X-Frame-Options header value, overwritting any previous value.`
	`79`	`+ *`
	`80`	`+ * @param request the servlet request`
	`81`	`+ * @param response the servlet response`
	`82`	`+ */`
`77`	`83`	`public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {`
`78`	`84`	`if (XFrameOptionsMode.ALLOW_FROM.equals(frameOptionsMode)) {`
`79`	`85`	`String allowFromValue = allowFromStrategy.getAllowFromValue(request);`
`80`	`86`	`if (allowFromValue != null) {`
`81`		`- response.addHeader(XFRAME_OPTIONS_HEADER,`
	`87`	`+ response.setHeader(XFRAME_OPTIONS_HEADER,`
`82`	`88`	`XFrameOptionsMode.ALLOW_FROM.getMode() + " " + allowFromValue);`
`83`	`89`	`}`
`84`	`90`	`}`
`85`	`91`	`else {`
`86`		`- response.addHeader(XFRAME_OPTIONS_HEADER, frameOptionsMode.getMode());`
	`92`	`+ response.setHeader(XFRAME_OPTIONS_HEADER, frameOptionsMode.getMode());`
`87`	`93`	`}`
`88`	`94`	`}`
`89`	`95`