Foros de discusión
X-Frame-Options
Traolly Xiong, modificado hace 6 años.
X-Frame-Options
Regular Member Mensajes: 195 Fecha de incorporación: 30/12/11 Mensajes recientes
Hello Everyone,
I'm trying to figure out how to default all Liferay URLs response headers to be "X-Frame-Options: SAME-ORIGIN" (including the top level domains).
ex) "http://xyz.qad.com" can be iframed within the same domain and another domain "http://abc.qad.com" that contains the
top level domain as well.
To add on to that, I would like to specify specific Liferay page URLs to be allowed to be iframed into same domains and external domains.
The "http.header.secure.x.frame.options" parameters within the "portal-ext.properties" may have some limitations.
Any good advice is fully appreciated.
Thanks.
Regards,
TRX
I'm trying to figure out how to default all Liferay URLs response headers to be "X-Frame-Options: SAME-ORIGIN" (including the top level domains).
ex) "http://xyz.qad.com" can be iframed within the same domain and another domain "http://abc.qad.com" that contains the
top level domain as well.
To add on to that, I would like to specify specific Liferay page URLs to be allowed to be iframed into same domains and external domains.
The "http.header.secure.x.frame.options" parameters within the "portal-ext.properties" may have some limitations.
Any good advice is fully appreciated.
Thanks.
Regards,
TRX
Olaf Kock, modificado hace 6 años.
RE: X-Frame-Options
Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
In case you are using a frontend webserver like Apache or nginx, I'd recommend to add the header there, with all the conditionals that you intend to use (URL-based).
If you don't, you can deploy a ServletFilter plugin to Liferay, in which you'll have to put all the conditionals and manually add the filter as well, when the URL matches your criteria.
If you don't, you can deploy a ServletFilter plugin to Liferay, in which you'll have to put all the conditionals and manually add the filter as well, when the URL matches your criteria.
Traolly Xiong, modificado hace 6 años.
RE: X-Frame-Options
Regular Member Mensajes: 195 Fecha de incorporación: 30/12/11 Mensajes recientes
Hello Olaf,
Just curious. Correct me if I'm wrong. The portal-ext parameters ONLY allow the 3 options and leaves little room for
a more sophisticated configuration without an apache / servlet filter class.
1) DENY All IFrame options.
2) Allow All IFrame options
3) DENY ALL IFrame options except the specific URLs listed; and those listed URLs are allowed to be
iframed into ALL domains (internal / external) as one can't specify a domain per URL listed.
Does that sound about right?
Thank you sir.
TRX
Just curious. Correct me if I'm wrong. The portal-ext parameters ONLY allow the 3 options and leaves little room for
a more sophisticated configuration without an apache / servlet filter class.
1) DENY All IFrame options.
2) Allow All IFrame options
3) DENY ALL IFrame options except the specific URLs listed; and those listed URLs are allowed to be
iframed into ALL domains (internal / external) as one can't specify a domain per URL listed.
Does that sound about right?
Thank you sir.
TRX
Olaf Kock, modificado hace 6 años.
RE: X-Frame-Options
Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
To be honest, I didn't even look at that property yet - but as soon as you mentioned conditionals, my expectation was that a single property can't handle them at all. I'm assuming that the property-configuration is an all-or-nothing configuration. Thus the Apache-suggestion, which is a lot more flexible.
Traolly Xiong, modificado hace 6 años.
RE: X-Frame-Options
Regular Member Mensajes: 195 Fecha de incorporación: 30/12/11 Mensajes recientes
Thank you sir. I will go with what you recommended.