Repository: wicket Updated Branches: refs/heads/wicket-7.x 139f6248a -> 6eef0a12c
Use "sameorigin" as a value for "X-Frame-Options" because "deny" would break the Ajax functionality and Modal window with a page Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/6eef0a12 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/6eef0a12 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/6eef0a12 Branch: refs/heads/wicket-7.x Commit: 6eef0a12c9e442fb0d419daccfecd5b489f8cdc4 Parents: 139f624 Author: Martin Tzvetanov Grigorov <[email protected]> Authored: Mon Aug 29 09:31:43 2016 +0200 Committer: Martin Tzvetanov Grigorov <[email protected]> Committed: Mon Aug 29 09:33:18 2016 +0200 ---------------------------------------------------------------------- .../src/docs/guide/security/security_6.gdoc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/6eef0a12/wicket-user-guide/src/docs/guide/security/security_6.gdoc ---------------------------------------------------------------------- diff --git a/wicket-user-guide/src/docs/guide/security/security_6.gdoc b/wicket-user-guide/src/docs/guide/security/security_6.gdoc index bbb0316..d8e7383 100644 --- a/wicket-user-guide/src/docs/guide/security/security_6.gdoc +++ b/wicket-user-guide/src/docs/guide/security/security_6.gdoc @@ -13,12 +13,12 @@ protected void init() @Override public void onEndRequest(RequestCycle cycle) { - ((WebResponse)cycle.getResponse()).setHeader("X-XSS-Protection", "1; mode=block"); - ((WebResponse)cycle.getResponse()).setHeader("Strict-Transport-Security", "max-age=31536000;" - + " includeSubDomains; preload"); - ((WebResponse)cycle.getResponse()).setHeader("X-Content-Type-Options", "nosniff"); - ((WebResponse)cycle.getResponse()).setHeader("X-Frame-Options", "DENY"); - ((WebResponse)cycle.getResponse()).setHeader("Content-Security-Policy", "default-src https:"); + WebResponse response = (WebResponse) cycle.getResponse(); + response.setHeader("X-XSS-Protection", "1; mode=block"); + response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); + response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("X-Frame-Options", "sameorigin"); + response.setHeader("Content-Security-Policy", "default-src https:"); } }); }
