Hi,
yep, it's indeed the GeoServer filter you mentioned that adds the header.
Documentation here:
http://docs.geoserver.org/latest/en/user/production/config.html#x-frame-options-policy
In case that does not help, source code here:
https://github.com/geoserver/geoserver/blob/6e9e25c0c7cdda9ada9f33f8255130d3afc76801/src/main/src/main/java/org/geoserver/filters/XFrameOptionsFilter.java#L18
Cheers
Andrea
On Thu, Jun 21, 2018 at 2:31 PM, Rusu Sorin via Geoserver-users <
geoserver-users@lists.sourceforge.net> wrote:
> Hi,
>
> I am trying to use Geoserver data into an JS WebGIS application.
> I am having trouble disabling the X-Frame-Options from adding the
> SAMEORIGIN header to incoming requests.
>
> I have read the instructions on: http://docs.geoserver.org/
> latest/en/user/production/config.html#x-frame-options-policy
>
> My TOMCAT's conf/web.xml has deactivated X-FRAME-OPTIONS:
>
> <filter>
> <filter-name>HttpHeaderSecurityFilter</filter-name>
> <filter-class>org.apache.catalina.filters.
> HttpHeaderSecurityFilter</filter-class>
> <async-supported>true</async-supported>
> <init-param>
> <param-name>antiClickJackingEnabled</param-name>
> <param-value>false</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>HttpHeaderSecurityFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
>
> Requests to localhost:8080/manager do not show the X-Frame-Options, so it
> should be working.
>
> My geoserver's web.xml has the following configuration:
>
> <filter>
> <filter-name>xFrameOptionsFilter</filter-name>
> <filter-class>org.geoserver.filters.XFrameOptionsFilter</
> filter-class>
> <init-param>
> <param-name>geoserver.xframe.policy</param-name>
> <param-value>DENY</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>xFrameOptionsFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
>
> Each time I do a request to the geoserver I get a response with the
> dreaded X-FRAME-OPTIONS: SAMEORIGIN
> Does anyone have any insight on how to set geoserver to stop being
> secured against clickJacking?
>
> BTW, this stackexchange answer is no good:
> https://gis.stackexchange.com/questions/267758/setting-
> geoserver-x-frame-options
> it breaks the geoserver if you use the values and it won't run.
>
> Any ideas?
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines: http://geoserver.org/comm/
> userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-
> requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
--
Regards, Andrea Aime == GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
@geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
------------------------------------------------------- *Con riferimento
alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
circostanza inerente alla presente email (il suo contenuto, gli eventuali
allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
sarei comunque grato se potesse darmene notizia. This email is intended
only for the person or entity to which it is addressed and may contain
information that is privileged, confidential or otherwise protected from
disclosure. We remind that - as provided by European Regulation 2016/679
“GDPR” - copying, dissemination or use of this e-mail or the information
herein by anyone other than the intended recipient is prohibited. If you
have received this email by mistake, please notify us immediately by
telephone or e-mail.*
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
