Hello, > -----Ursprüngliche Nachricht----- > Von: Baron Fujimoto <[email protected]> > Gesendet: Dienstag, 10. Februar 2026 18:17 > An: Tomcat Users <[email protected]> > Betreff: Set "X-Frame-Options" SAMEORIGIN to ALWAYS ? > > We're running Apereo's CAS 7 using Tomcat 11. We have a set of related > applications integrated with CAS that have been reporting the following errors > to us. (We have not had similar reports from the myriad other applications > also integrated with the CAS service) > > ===== > Cookie "" has been rejected as third-party. > Request to access cookie or storage on "‹URL›" was blocked because we are > blocking all third-party storage access requests and Enhanced Tracking > Protection is enabled. > Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; > samesite=none; secure; httponly" has been rejected as third-party. > Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; > expires=Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" > has been rejected as third-party. > Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; > samesite=none; secure; httponly" has been rejected as third-party. > Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; > expires=Mon, 09 Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" > has been rejected as third-party. > The loading of " > https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.exampl > e.edu%3A9000%2FBannerAdmin.ws&2Fi > spring cas security check" in a frame is denied by "X-Frame-Options" > directive set to "deny". > ===== > > They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. How > can we set this for Tomcat? > > It's possible this is a red herring, or not the best approach to our > situation, so > we're also completely open to other ideas or suggestions. > > -- > Baron Fujimoto <[email protected]> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus > pantorum
The X-FRAME-OPTIONS can be set via the security filter: https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter The word "always" might originate from the Apache (http-Server) configuration, e.g.: Header always set X-Frame-Options "SAMEORIGIN" In Tomcat, you can use the security filter mentioned above. Greetings, Thomas
