From cc7f504f96cb846d56f82181f8aa64983f211788 Mon Sep 17 00:00:00 2001
From: Nathan Wong <nathan.wong@cfraresearch.com>
Date: Wed, 20 Sep 2017 10:21:49 -0400
Subject: [PATCH] Add check to see if return value is DENY

Originally, if the return from getAllowFromValue(request) is "DENY",
then the X-Frame-Options header's value will proceed to be written as
"ALLOW FROM DENY" - an invalid value.

This commit adds a condition in the if clause that checks whether
allowFromValue is "DENY". This way, the X-Frame-Options header will be
written as "ALLOW FROM origin" or "DENY".

Issue gh-4771
---
 .../header/writers/frameoptions/XFrameOptionsHeaderWriter.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java
index 75fbb16432..bfc5e94dc5 100644
--- a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java
+++ b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java
@@ -83,7 +83,7 @@ public final class XFrameOptionsHeaderWriter implements HeaderWriter {
 	public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
 		if (XFrameOptionsMode.ALLOW_FROM.equals(frameOptionsMode)) {
 			String allowFromValue = allowFromStrategy.getAllowFromValue(request);
-			if (allowFromValue != null) {
+			if (allowFromValue != null && !allowFromValue.equals(XFrameOptionsMode.DENY.getMode())) {
 				response.setHeader(XFRAME_OPTIONS_HEADER,
 						XFrameOptionsMode.ALLOW_FROM.getMode() + " " + allowFromValue);
 			}