We're running Apereo's CAS 7 using Tomcat 11. We have a set of related applications integrated with CAS that have been reporting the following errors to us. (We have not had similar reports from the myriad other applications also integrated with the CAS service)
===== Cookie "" has been rejected as third-party. Request to access cookie or storage on "‹URL›" was blocked because we are blocking all third-party storage access requests and Enhanced Tracking Protection is enabled. Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party. Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party. Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party. Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been rejected as third-party. The loading of " https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.example.edu%3A9000%2FBannerAdmin.ws&2Fi spring cas security check" in a frame is denied by "X-Frame-Options" directive set to "deny". ===== They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. How can we set this for Tomcat? It's possible this is a red herring, or not the best approach to our situation, so we're also completely open to other ideas or suggestions. -- Baron Fujimoto <[email protected]> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
