diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc index 678318e0f8..8307f52520 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc @@ -1034,6 +1034,10 @@ frame-options.attlist &= attribute value {xsd:string}? frame-options.attlist &= ## Specify the request parameter to use for the origin when using a 'whitelist' or 'regexp' based strategy. Default is 'from'. + ## Deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use + ## Content-Security-Policy with the + ## frame-ancestors + ## directive. attribute from-parameter {xsd:string}? diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd index 775697606e..436820de82 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd @@ -3000,7 +3000,10 @@ Specify the request parameter to use for the origin when using a 'whitelist' or 'regexp' - based strategy. Default is 'from'. + based strategy. Default is 'from'. Deprecated ALLOW-FROM is an obsolete directive that no + longer works in modern browsers. Instead use Content-Security-Policy with the <a + href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a> + directive. diff --git a/config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java b/config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java index 3656303c4d..cd00c06896 100644 --- a/config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java +++ b/config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java @@ -52,7 +52,12 @@ public class XsdDocumentedTests { "nsa-websocket-security", "nsa-ldap", "nsa-method-security", - "nsa-web"); + "nsa-web", + // deprecated and for removal + "nsa-frame-options-strategy", + "nsa-frame-options-ref", + "nsa-frame-options-value", + "nsa-frame-options-from-parameter"); String referenceLocation = "../docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc"; diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc index 7bb5671dcf..02754f1780 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc @@ -504,43 +504,12 @@ Default false. ** `DENY` The page cannot be displayed in a frame, regardless of the site attempting to do so. This is the default when frame-options-policy is specified. ** `SAMEORIGIN` The page can only be displayed in a frame on the same origin as the page itself -** `ALLOW-FROM origin` The page can only be displayed in a frame on the specified origin. + In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame it is the same as the one serving the page. -[[nsa-frame-options-strategy]] -* **strategy** -Select the `AllowFromStrategy` to use when using the ALLOW-FROM policy. - -** `static` Use a single static ALLOW-FROM value. -The value can be set through the <> attribute. -** `regexp` Use a regular expression to validate incoming requests and if they are allowed. -The regular expression can be set through the <> attribute. -The request parameter used to retrieve the value to validate can be specified using the <>. -** `whitelist` A comma-separated list containing the allowed domains. -The comma-separated list can be set through the <> attribute. -The request parameter used to retrieve the value to validate can be specified using the <>. - - - - -[[nsa-frame-options-ref]] -* **ref** -Instead of using one of the predefined strategies it is also possible to use a custom `AllowFromStrategy`. -The reference to this bean can be specified through this ref attribute. - - -[[nsa-frame-options-value]] -* **value** -The value to use when ALLOW-FROM is used a <>. - - -[[nsa-frame-options-from-parameter]] -* **from-parameter** -Specify the name of the request parameter to use when using regexp or whitelist for the ALLOW-FROM strategy. [[nsa-frame-options-parents]] diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java index 63a5ba573f..c01b25843c 100644 --- a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java +++ b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java @@ -29,7 +29,12 @@ import javax.servlet.http.HttpServletRequest; * * @author Marten Deinum * @since 3.2 + * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use + * Content-Security-Policy with the + * frame-ancestors + * directive. */ +@Deprecated abstract class AbstractRequestParameterAllowFromStrategy implements AllowFromStrategy { private static final String DEFAULT_ORIGIN_REQUEST_PARAMETER = "x-frames-allow-from"; diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java index 25097295b0..7a61e46423 100644 --- a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java +++ b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java @@ -23,7 +23,12 @@ import javax.servlet.http.HttpServletRequest; * * @author Marten Deinum * @since 3.2 + * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use + * Content-Security-Policy with the + * frame-ancestors + * directive. */ +@Deprecated public interface AllowFromStrategy { /** diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java index a65aeea55b..b23d19375b 100644 --- a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java +++ b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java @@ -26,7 +26,12 @@ import java.util.regex.Pattern; * * @author Marten Deinum * @since 3.2 + * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use + * Content-Security-Policy with the + * frame-ancestors + * directive. */ +@Deprecated public final class RegExpAllowFromStrategy extends AbstractRequestParameterAllowFromStrategy { diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java index 0df29fa746..13e170c777 100644 --- a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java +++ b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java @@ -20,7 +20,13 @@ import java.net.URI; /** * Simple implementation of the {@code AllowFromStrategy} + * + * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use + * Content-Security-Policy with the + * frame-ancestors + * directive. */ +@Deprecated public final class StaticAllowFromStrategy implements AllowFromStrategy { private final URI uri; diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java index c899833dbf..164583902c 100644 --- a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java +++ b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java @@ -24,7 +24,12 @@ import org.springframework.util.Assert; * * @author Marten Deinum * @since 3.2 + * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use + * Content-Security-Policy with the + * frame-ancestors + * directive. */ +@Deprecated public final class WhiteListedAllowFromStrategy extends AbstractRequestParameterAllowFromStrategy { diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java index 2c9b32cdb2..8562681350 100644 --- a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java +++ b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java @@ -68,7 +68,13 @@ public final class XFrameOptionsHeaderWriter implements HeaderWriter { * * @param allowFromStrategy the strategy for determining what the value for ALLOW_FROM * is. + * + * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use + * Content-Security-Policy with the + * frame-ancestors + * directive. */ + @Deprecated public XFrameOptionsHeaderWriter(AllowFromStrategy allowFromStrategy) { Assert.notNull(allowFromStrategy, "allowFromStrategy cannot be null"); this.frameOptionsMode = XFrameOptionsMode.ALLOW_FROM; @@ -107,7 +113,15 @@ public final class XFrameOptionsHeaderWriter implements HeaderWriter { * @since 3.2 */ public enum XFrameOptionsMode { - DENY("DENY"), SAMEORIGIN("SAMEORIGIN"), ALLOW_FROM("ALLOW-FROM"); + DENY("DENY"), SAMEORIGIN("SAMEORIGIN"), + /** + * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use + * Content-Security-Policy with the + * frame-ancestors + * directive. + */ + @Deprecated + ALLOW_FROM("ALLOW-FROM"); private String mode;