Foros de discusión

  1. Inicio
  2. Portal
  3. X-Frame-Options

X-Frame-Options

Traolly Xiong, modificado hace 6 años.

X-Frame-Options

Regular Member Mensajes: 195 Fecha de incorporación: 30/12/11 Mensajes recientes
Hello Everyone,
I'm trying to figure out how to default all Liferay URLs response headers to be "X-Frame-Options: SAME-ORIGIN" (including the top level domains).

ex) "http://xyz.qad.com" can be iframed within the same domain and another domain "http://abc.qad.com" that contains the
top level domain as well.

To add on to that, I would like to specify specific Liferay page URLs to be allowed to be iframed into same domains and external domains.

The "http.header.secure.x.frame.options" parameters within the "portal-ext.properties" may have some limitations.

Any good advice is fully appreciated.

Thanks.

Regards,
TRX
thumbnail
Olaf Kock, modificado hace 6 años.

RE: X-Frame-Options

Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
In case you are using a frontend webserver like Apache or nginx, I'd recommend to add the header there, with all the conditionals that you intend to use (URL-based).

If you don't, you can deploy a ServletFilter plugin to Liferay, in which you'll have to put all the conditionals and manually add the filter as well, when the URL matches your criteria.
Traolly Xiong, modificado hace 6 años.

RE: X-Frame-Options

Regular Member Mensajes: 195 Fecha de incorporación: 30/12/11 Mensajes recientes
Hello Olaf,
Just curious. Correct me if I'm wrong. The portal-ext parameters ONLY allow the 3 options and leaves little room for
a more sophisticated configuration without an apache / servlet filter class.

1) DENY All IFrame options.
2) Allow All IFrame options
3) DENY ALL IFrame options except the specific URLs listed; and those listed URLs are allowed to be
iframed into ALL domains (internal / external) as one can't specify a domain per URL listed.

Does that sound about right?

Thank you sir.

TRX
thumbnail
Olaf Kock, modificado hace 6 años.

RE: X-Frame-Options

Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
To be honest, I didn't even look at that property yet - but as soon as you mentioned conditionals, my expectation was that a single property can't handle them at all. I'm assuming that the property-configuration is an all-or-nothing configuration. Thus the Apache-suggestion, which is a lot more flexible.
Traolly Xiong, modificado hace 6 años.

RE: X-Frame-Options

Regular Member Mensajes: 195 Fecha de incorporación: 30/12/11 Mensajes recientes
Thank you sir. I will go with what you recommended. emoticon