Troubles with X-Frame-Options

[rmorales]

Hello,

We have Sakai 11 installed now at http://virtual.cudi.edu.mx:8080, and it is working generally well (still to fix email exchange, and bits). However, we have a problem with embedding content available in Sakai 11 (where colalboration takes place) into CUDI's web server (www.cudi.edu.mx). I have checked the headers Sakai sends (running on Tomcat 8.5.4 on Oracle Java 8 on Debian 8) and they include the X-Frame-Options header:

HTTP/1.1 200 => 

X-Frame-Options => SAMEORIGIN

X-Content-Type-Options => nosniff

X-XSS-Protection => 1; mode=block

Set-Cookie => JSESSIONID=252cd57d-f21c-4c12-be9b-dfade19cffc8.CUDIVirtual; Path=/; HttpOnly

Expires => Fri, 11 Sep 2015 01:36:15 GMT

Last-Modified => Sat, 10 Sep 2016 01:36:15 GMT

Cache-Control => no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0

Pragma => no-cache

Content-Type => text/html;charset=UTF-8

Date => Sat, 10 Sep 2016 01:36:15 GMT

Connection => close

I have made changes to Tomcat's web.xml, configuring the httpHeaderSecurity filter and its mapping, with no luck (yes, they are uncommented):

    <filter>

        <filter-name>httpHeaderSecurity</filter-name>

        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

        <async-supported>true</async-supported>

      <init-param>

         <param-name>antiClickJackingOption</param-name>

         <param-value>ALLOW-FROM</param-value>

         </init-param>

      <init-param>

       <param-name>antiClickJackingUri</param-name>

       <param-value>http://www.cudi.edu.mx</param-value>

      </init-param>

    </filter>

...

    <filter-mapping>

        <filter-name>httpHeaderSecurity</filter-name>

        <url-pattern>/*</url-pattern>

        <dispatcher>REQUEST</dispatcher>

    </filter-mapping>

So, I am wondering whether is something enforced by Sakai, and how to fix it (at least for Resources).

Regards,

Rafael

[Neal Caidin]

Hi Rafael,

Since this is a technical post, I'm wondering if you will have better luck posing your question to sakai-pr...@apereo.org or saka...@apereo.org ?

Best,

Neal

--
You received this message because you are subscribed to the Google Groups "Sakai Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+unsubscribe@apereo.org.
To post to this group, send email to sakai...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/sakai-user/.

[Earle Nietzel]

Hi Rafael,

X-Frame-Options header is add here, https://github.com/sakaiproject/sakai/blob/master/kernel/api/src/main/java/org/sakaiproject/util/RequestFilter.java#L1295

And was last referenced in this JIRA https://jira.sakaiproject.org/browse/KNL-1384

If the content domain is separate from the sakai domain then you should set this property and that should remove the header.

content.separateDomains=true

To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+...@apereo.org.

To post to this group, send email to sakai...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/sakai-user/.

--
You received this message because you are subscribed to the Google Groups "Sakai Users Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+...@apereo.org.