-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 3/23/20 18:10, James H. H. Lampert wrote: > We recently enabled the httpHeaderSecurity filter globally (i.e., > in conf/web.xml) on several customer Tomcat servers, thusly: > >> <filter> >> >> >> <filter-name>httpHeaderSecurity</filter-name> >> >> >> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</f ilter-class> >> >> >> <init-param> >> >> >> <param-name>antiClickJackingOption</param-name> >> >> >> <param-value>SAMEORIGIN</param-value> >> >> >> </init-param> >> >> >> <async-supported>true</async-supported> >> </filter> >> > > > and now, it seems to be having a side effect on our mobile app, > such that the "dashboard" function of our product, while it > continues to work when accessed from a browser, is failing when > accessed from our mobile app. So far as we know, it's *only* the > dashboard function (which is in turn based on BIRT). > > I know this sounds vague; it's vague because I haven't a clue > what's going on. I was hoping that somebody here might have some > insights I could pass on to our webapp/mobile app team. As soon as I added sameSite=lax cookie policy to our development server, our mobile app exploded. We have also had problems with CORS which broke our mobile application as well. Your problem may stem from the same, related issues we were having: many mobile apps are actually web applications being "served" by a "server" which responds to requests to "localhost". The site-origin for the mobile application is therefore "localhost" and does not match "example.com" whence the real data is being fetched. I don't understand exactly how X-Frame-Options (which is what the HttpHeaderSecurityFilter is configuring) is being used by your application, but I believe X-Frame-Options is essentially being replaced by various features of Content-Security-Policy. You may want to talk to your engineers about using one of those versus the other; you may want to discontinue using the "anti click-jacking" features of this filter altogether in favor of something else. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl56erMACgkQHPApP6U8 pFgAZQ//bGXQV4fkWh5uafyFKvS4Dp5NH6WGUx89ekaFvbyqf3r2lGr2CCGtfdBO aETEhE8GoYDivibF/hsy7AixWjlYTdFnzqKDBDtTffj5tRhNact8LBBSx0LJH0cE KBa/AnoNmll70n0XHnxtSh0q6iKvT6IClbyJOLBERXRRdm9LWgO9DG/0mZdetaTa cIFYwle3N9uLhA9U7fwsrOZQpnVRvETjHsk9wuLYEdNBWLeCxfZCThU8pRvDvxfp oV9pF729LYJ6zg5y8aMNOvG8le60MIkl2hEonfPmXht1zhq8wIOPO8aegCJ3qKpL CSYMM8CfdeBC0LL5GBYSejxXkNG31GKRujcH73bi894avoLh1Mfg7ZBfSXzZV3Pk K4t6P/ZIL/FpfSX49HiMYC60xfEl2JS8UJPtGpqz1jOaoOPUQdo1n3JcmO2Isgze 3S1IVOkcrlMgxoWJxundOJnnAmEygfueu6gi73CtDLa+G0LUieX0OduCG13MQXI2 2o/nTrut1Jf2aGIiMKBhD2ce9JOXsbd6DYkChTonsAlcz8PnzE2sdM+aRO3nHkdc bS9jyJPtvvSLIdS4EAB2lOtnoj5vTXBwQa24DDTw3TRfBhgMaBsIt8uuInqVQPTg EMinOLYTPPHihnDUu/cnZKPgpyTwFVw2XRJW62Ay3sfIFTdHG0M= =5GlS -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org