Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Deprecate X-FRAME-OPTIONS ALLOW-FROM Directive 

Closes gh-8677
This commit is contained in:
Rob Winch 2020-06-10 10:06:38 -05:00
parent 6fbe58e624
commit a907026eae
10 changed files with 55 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc
View File

@ -1034,6 +1034,10 @@ frame-options.attlist &=
attribute value {xsd:string}? attribute value {xsd:string}?
frame-options.attlist &= frame-options.attlist &=
## Specify the request parameter to use for the origin when using a 'whitelist' or 'regexp' based strategy. Default is 'from'. ## Specify the request parameter to use for the origin when using a 'whitelist' or 'regexp' based strategy. Default is 'from'.
## Deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
## Content-Security-Policy with the
## <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
## directive.
attribute from-parameter {xsd:string}? attribute from-parameter {xsd:string}?

5
config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd
View File

@ -3000,7 +3000,10 @@
<xs:attribute name="from-parameter" type="xs:string"> <xs:attribute name="from-parameter" type="xs:string">
<xs:annotation> <xs:annotation>
<xs:documentation>Specify the request parameter to use for the origin when using a 'whitelist' or 'regexp' <xs:documentation>Specify the request parameter to use for the origin when using a 'whitelist' or 'regexp'
based strategy. Default is 'from'. based strategy. Default is 'from'. Deprecated ALLOW-FROM is an obsolete directive that no
longer works in modern browsers. Instead use Content-Security-Policy with the &lt;a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"&gt;frame-ancestors&lt;/a&gt;
directive.
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
</xs:attribute> </xs:attribute>

7
config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java
View File

@ -52,7 +52,12 @@ public class XsdDocumentedTests {
"nsa-websocket-security", "nsa-websocket-security",
"nsa-ldap", "nsa-ldap",
"nsa-method-security", "nsa-method-security",
"nsa-web"); "nsa-web",
// deprecated and for removal
"nsa-frame-options-strategy",
"nsa-frame-options-ref",
"nsa-frame-options-value",
"nsa-frame-options-from-parameter");
String referenceLocation = "../docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc"; String referenceLocation = "../docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc";

31
docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc
View File

@ -504,43 +504,12 @@ Default false.
** `DENY` The page cannot be displayed in a frame, regardless of the site attempting to do so. ** `DENY` The page cannot be displayed in a frame, regardless of the site attempting to do so.
This is the default when frame-options-policy is specified. This is the default when frame-options-policy is specified.
** `SAMEORIGIN` The page can only be displayed in a frame on the same origin as the page itself ** `SAMEORIGIN` The page can only be displayed in a frame on the same origin as the page itself
** `ALLOW-FROM origin` The page can only be displayed in a frame on the specified origin.
+ +
In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site.
On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame it is the same as the one serving the page. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame it is the same as the one serving the page.
[[nsa-frame-options-strategy]]
* **strategy**
Select the `AllowFromStrategy` to use when using the ALLOW-FROM policy.
** `static` Use a single static ALLOW-FROM value.
The value can be set through the <<nsa-frame-options-value,value>> attribute.
** `regexp` Use a regular expression to validate incoming requests and if they are allowed.
The regular expression can be set through the <<nsa-frame-options-value,value>> attribute.
The request parameter used to retrieve the value to validate can be specified using the <<nsa-frame-options-from-parameter,from-parameter>>.
** `whitelist` A comma-separated list containing the allowed domains.
The comma-separated list can be set through the <<nsa-frame-options-value,value>> attribute.
The request parameter used to retrieve the value to validate can be specified using the <<nsa-frame-options-from-parameter,from-parameter>>.
[[nsa-frame-options-ref]]
* **ref**
Instead of using one of the predefined strategies it is also possible to use a custom `AllowFromStrategy`.
The reference to this bean can be specified through this ref attribute.
[[nsa-frame-options-value]]
* **value**
The value to use when ALLOW-FROM is used a <<nsa-frame-options-strategy,strategy>>.
[[nsa-frame-options-from-parameter]]
* **from-parameter**
Specify the name of the request parameter to use when using regexp or whitelist for the ALLOW-FROM strategy.
[[nsa-frame-options-parents]] [[nsa-frame-options-parents]]

5
web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java
View File

@ -29,7 +29,12 @@ import javax.servlet.http.HttpServletRequest;
* *
* @author Marten Deinum * @author Marten Deinum
* @since 3.2 * @since 3.2
* @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
* Content-Security-Policy with the
* <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
* directive.
*/ */
@Deprecated
abstract class AbstractRequestParameterAllowFromStrategy implements AllowFromStrategy { abstract class AbstractRequestParameterAllowFromStrategy implements AllowFromStrategy {
private static final String DEFAULT_ORIGIN_REQUEST_PARAMETER = "x-frames-allow-from"; private static final String DEFAULT_ORIGIN_REQUEST_PARAMETER = "x-frames-allow-from";

5
web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java
View File

@ -23,7 +23,12 @@ import javax.servlet.http.HttpServletRequest;
* *
* @author Marten Deinum * @author Marten Deinum
* @since 3.2 * @since 3.2
* @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
* Content-Security-Policy with the
* <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
* directive.
*/ */
@Deprecated
public interface AllowFromStrategy { public interface AllowFromStrategy {
/** /**

5
web/src/main/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java
View File

@ -26,7 +26,12 @@ import java.util.regex.Pattern;
* *
* @author Marten Deinum * @author Marten Deinum
* @since 3.2 * @since 3.2
* @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
* Content-Security-Policy with the
* <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
* directive.
*/ */
@Deprecated
public final class RegExpAllowFromStrategy extends public final class RegExpAllowFromStrategy extends
AbstractRequestParameterAllowFromStrategy { AbstractRequestParameterAllowFromStrategy {

6
web/src/main/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java
View File

@ -20,7 +20,13 @@ import java.net.URI;
/** /**
* Simple implementation of the {@code AllowFromStrategy} * Simple implementation of the {@code AllowFromStrategy}
*
* @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
* Content-Security-Policy with the
* <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
* directive.
*/ */
@Deprecated
public final class StaticAllowFromStrategy implements AllowFromStrategy { public final class StaticAllowFromStrategy implements AllowFromStrategy {
private final URI uri; private final URI uri;

5
web/src/main/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java
View File

@ -24,7 +24,12 @@ import org.springframework.util.Assert;
* *
* @author Marten Deinum * @author Marten Deinum
* @since 3.2 * @since 3.2
* @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
* Content-Security-Policy with the
* <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
* directive.
*/ */
@Deprecated
public final class WhiteListedAllowFromStrategy extends public final class WhiteListedAllowFromStrategy extends
AbstractRequestParameterAllowFromStrategy { AbstractRequestParameterAllowFromStrategy {

16
web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java
View File

@ -68,7 +68,13 @@ public final class XFrameOptionsHeaderWriter implements HeaderWriter {
* *
* @param allowFromStrategy the strategy for determining what the value for ALLOW_FROM * @param allowFromStrategy the strategy for determining what the value for ALLOW_FROM
* is. * is.
*
* @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
* Content-Security-Policy with the
* <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
* directive.
*/ */
@Deprecated
public XFrameOptionsHeaderWriter(AllowFromStrategy allowFromStrategy) { public XFrameOptionsHeaderWriter(AllowFromStrategy allowFromStrategy) {
Assert.notNull(allowFromStrategy, "allowFromStrategy cannot be null"); Assert.notNull(allowFromStrategy, "allowFromStrategy cannot be null");
this.frameOptionsMode = XFrameOptionsMode.ALLOW_FROM; this.frameOptionsMode = XFrameOptionsMode.ALLOW_FROM;
@ -107,7 +113,15 @@ public final class XFrameOptionsHeaderWriter implements HeaderWriter {
* @since 3.2 * @since 3.2
*/ */
public enum XFrameOptionsMode { public enum XFrameOptionsMode {
DENY("DENY"), SAMEORIGIN("SAMEORIGIN"), ALLOW_FROM("ALLOW-FROM"); DENY("DENY"), SAMEORIGIN("SAMEORIGIN"),
/**
* @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
* Content-Security-Policy with the
* <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
* directive.
*/
@Deprecated
ALLOW_FROM("ALLOW-FROM");
private String mode; private String mode;