Skip to content

Avoid multiple X-Frame-Options headers #4237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Avoid multiple X-Frame-Options headers #4237

wants to merge 3 commits into from

Conversation

borlafu
Copy link
Contributor

@borlafu borlafu commented Mar 7, 2017

XFrameOptionsHeaderWriter should not add, but set the X-Frame-Options header.
According to https://tools.ietf.org/html/rfc7034#section-2.1, having multiple values for the header is disallowed:

There are three different values for the header field. These values are mutually exclusive; that is, the header field MUST be set to exactly one of the three values.

With this change, only the latest XFrameOptionsHeaderWriter will remain.

borlafu added 2 commits March 7, 2017 21:04
@borlafu
Avoid multiple X-Frame-Options headers
9c1e033 
XFrameOptionsHeaderWriter should not *add*, but *set* the X-Frame-Options header.
According to https://tools.ietf.org/html/rfc7034#section-2.1, having multiple values for the header is disallowed:

"There are three different values for the header field.  These values are mutually exclusive; that is, the header field MUST be set to exactly one of the three values."

With this change, only the latest XFrameOptionsHeaderWriter will remain.
@borlafu
Test for multiple X-Frame-Options headers
0eaaff1
@pivotal-issuemaster
Copy link

@borlafu Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-issuemaster
Copy link

@borlafu Thank you for signing the Contributor License Agreement!

@rwinch rwinch added this to the 4.2.3 milestone Mar 8, 2017
@rwinch rwinch self-assigned this Mar 8, 2017
@rwinch rwinch added type: bug A general bug in: web An issue in web modules (web, webmvc) labels Mar 8, 2017
@rwinch
Copy link
Member

rwinch commented Mar 8, 2017

Thanks for the PR @borlafu! This is now merged into master :)

8a458eb

@rwinch rwinch closed this Mar 8, 2017
@borlafu borlafu deleted the patch-1 branch October 11, 2023 08:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
4.2.3
Development

Successfully merging this pull request may close these issues.
3 participants
@borlafu @pivotal-issuemaster @rwinch