From f02b77794f7d32670d963ad3dce50959729242b7 Mon Sep 17 00:00:00 2001
From: getvictor <victor@victoreda.com>
Date: Sun, 9 Feb 2014 10:34:42 -0600
Subject: [PATCH] SEC-2511: Remove double ALLOW-FROM from X-Frame-Options
 header.

The interface documentation for getAllowFromValue states: Gets the value for ALLOW-FROM excluding the ALLOW-FROM.
---
 .../frameoptions/AbstractRequestParameterAllowFromStrategy.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java
index 06078792a2..3ba0e66685 100644
--- a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java
@@ -30,7 +30,7 @@ abstract class AbstractRequestParameterAllowFromStrategy implements AllowFromStr
             log.debug("Supplied origin '"+allowFromOrigin+"'");
         }
         if (StringUtils.hasText(allowFromOrigin) && allowed(allowFromOrigin)) {
-            return "ALLOW-FROM " + allowFromOrigin;
+            return allowFromOrigin;
         } else {
             return "DENY";
         }