I think they pulled the ALWAYS value from an example APache HTTPd conf. While researching this, we also gathered that the XFrame-Options were more or less deprecated in favor of Content Security Policy.
However it turned out that the whole XFrame-Options thing was a red herring anyway. We found a way to set this within the CAS configs, but to no avail. The root cause for the problem was unrelated, and was actually that CAS had changed the default encryption algorithm for their cookies, and the new required key size didn't match what had been provided in the CAS configuration properties for the old default. On Thu, Feb 12, 2026 at 5:40 AM Christopher Schultz < [email protected]> wrote: > Baron, > > On 2/10/26 12:16 PM, Baron Fujimoto wrote: > > We're running Apereo's CAS 7 using Tomcat 11. We have a set of related > > applications integrated with CAS that have been reporting the following > > errors to us. (We have not had similar reports from the myriad other > > applications also integrated with the CAS service) > > > > ===== > > Cookie "" has been rejected as third-party. > > Request to access cookie or storage on "‹URL›" was blocked because we are > > blocking all third-party storage access requests and Enhanced Tracking > > Protection is enabled. > > Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; > > samesite=none; secure; httponly" has been rejected as third-party. > > Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 > > Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected > > as third-party. > > Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; > > samesite=none; secure; httponly" has been rejected as third-party. > > Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 > > Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been rejected > > as third-party. > > The loading of " > > > https://urldefense.com/v3/__https://cas.example.edu/cas/login?service=https*3*2F*2Fbanner.example.edu*3A9000*2FBannerAdmin.ws&2Fi__;JSUlJSU!!PvDODwlR4mBZyAb0!QO0KZYJQT6KFklQBp3NUXl1ovI9l0AusmBbbx_unfGvNCfUTO_cpHKIUGvXkwh_NnAZlcjI1FMge1z6fDhLvb-0$ > > spring cas security check" in a frame is denied by "X-Frame-Options" > > directive set to "deny". > > ===== > > > > They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. How > can > > we set this for Tomcat? > > Note that you can set SAMEORIGIN but the value ALWAYS isn't a thing. > Maybe they meant "ALWAYS set the header value to SAMEORIGIN"? > > > It's possible this is a red herring, or not the best approach to our > > situation, so we're also completely open to other ideas or suggestions. > > Thomas Hoffmann has already replied with correct information, but I > would advise you to look at Content Security Policy (CSP) which is a > much more modern standard for thing kind of thing. > > For example, it allows *very* fine-grained control over frame ancestor > behavior using the frame-ancestors directive, rather than the very > coarse-grained settings for X-Frame-Options. > > Tomcat doesn't have a valve/filter for setting CSP, but OWASP has one. I > just read the code, and it's awful. I won't even bother giving you a > reference to it. > > If you're interested in using CSP instead (which I'd recommend), write > back and I'll see what I can find. > > -chris > >
