I think the configuration option you need is "cas.http-web-request.header.xframe-options". We moved our Banner apps off our local CAS server quite some time ago, but this was the option I had to set to deal with some of the frame issues we were seeing.
Noelette Stout On Tue, Feb 10, 2026 at 10:20 AM Baron Fujimoto <[email protected]> wrote: > When we attempted to upgrade from CAS 7.0.x to CAS 7.2.x, we ran into a > problem with some Banner apps we integrate with. This problem is still > present with CAS 7.3.x, but we are now obligated to upgrade to 7.3 to > handle the Duo expiring certificate issue. > > This is what the Banner side reports when they encounter the problem that > prevents their authentication: > ===== > Cookie "" has been rejected as third-party. > Request to access cookie or storage on "‹URL›" was blocked because we are > blocking all third-party storage access requests and Enhanced Tracking > Protection is enabled. > Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; > samesite=none; secure; httponly" has been rejected as third-party. > Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 > Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected > as third-party. > Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; > samesite=none; secure; httponly" has been rejected as third-party. > Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 > Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been rejected > as third-party. > The loading of " > https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.example.edu%3A9000%2FBannerAdmin.ws&2Fi > spring cas security check" in a frame is denied by "X-Frame-Options" > directive set to "deny". > ===== > > They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. > > Is this even a CAS thing? From what I gather, it's applicable to the web > server? But we were using the same web server (Tomcat 10.1.x for CAS 7.2, > and now Tomcat 11.0.x for CAS 7.3), and we don't encounter these issues for > other apps. > > If this is something controlled by CAS after all? If so, can we tweak it > as requested – preferably just for their service registrations? > > Because only these Banner apps suffer from this as far as we know, we were > inclined to think that the problem is on the application side. But > ultimately because these apps are so important to the institution, we need > to find a workaround one way or another. > > Any ideas or suggestions would be appreciated. > > -- > Baron Fujimoto <[email protected]> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8%2B7fyz259OV7W4WUcFYFax2zHZZwgVQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8%2B7fyz259OV7W4WUcFYFax2zHZZwgVQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Noelette Stout Enterprise Access Manager Senior Application Administrator Idaho State University E-mail: stounoel "at" isu "dot" edu Desk: 208-282-2554 *I am sending this message now because it suits me, but I don’t expect that you will read, respond to, or act on it outside of comfortable hours for your time zone.* -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC3gc2HBK_%3DCyOKHmmppLhrdQWvY9-F6u3jOcxr9B7HAOU3kTw%40mail.gmail.com.
