I have a static html page that incorporates a <frame>.
If I start things up locally with an npm run start, the static html page displays fine.
The front end of this app needs to run against Spring Boot, though.
And when I start the front end up in Spring Boot, I get the following error when I try to display the html page:
Refused to display 'http://localhost:4200/' in a frame because it set 'X-Frame-Options' to 'deny'.
I know that I'm not explicitly setting X-Frame-Options to deny anywhere - but I thought maybe I could explicitly set it to sameorigin by doing something like this:
<script type="text/javascript" language="javascript">
add_header "X-Frame-Options" "SAMEORIGIN";
var strHTML = "<frameset rows=\"32,*\"> <frame src=\"whskin_tbars.htm\"></frame></frameset>";
document.write(strHTML);
</script>
I have a static html page that incorporates a <frame>.
If I start things up locally with an npm run start, the static html page displays fine.
The front end of this app needs to run against Spring Boot, though.
And when I start the front end up in Spring Boot, I get the following error when I try to display the html page:
Refused to display 'http://localhost:4200/' in a frame because it set 'X-Frame-Options' to 'deny'.
I know that I'm not explicitly setting X-Frame-Options to deny anywhere - but I thought maybe I could explicitly set it to sameorigin by doing something like this:
<script type="text/javascript" language="javascript">
add_header "X-Frame-Options" "SAMEORIGIN";
var strHTML = "<frameset rows=\"32,*\"> <frame src=\"whskin_tbars.htm\"></frame></frameset>";
document.write(strHTML);
</script>
- Presumably, that header needs to be configured from the server (Spring Boot). You can't do that from client browser JavaScript. – canon Commented Mar 20 at 20:40
- That seems logical, since it was working fine when doing npm run start, and also against WeblLogic; and also because there is nowhere in the code that it is being set to deny. – Tim Commented Mar 20 at 20:47
- Check stackoverflow/questions/28647136/… – James Commented Mar 20 at 20:49
- thanks - that definitely got me on the right track (see above). – Tim Commented Mar 21 at 0:09
- @Tim I've extracted your solution into an answer. You can either mark that as accepted or write your own and I'll delete mine. In the future, if you find a solution to your own question, just post the answer as an answer rather than editing the question itself to incorporate the answer. – canon Commented Mar 21 at 13:29
1 Answer
Reset to default -1This answer was extracted from the OP's question. See the revision history.
Okay I believe it's fixed by following some of the examples in the link of James's post.Although it doesn't have an 'active' backend that interacts with the frontend - the frontend has several java files it hits upon startup of the frontend.
It was fixed by adding
http.headers(headers -> { headers.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)); });to a function that returns a SecurityFilterChain upon startup:
@Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests(requests -> requests .requestMatchers("/**").permitAll()); http.headers(headers -> { headers.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)); }); return http.build(); }