Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-39820

X-Frame-Options configuration doesn't respect empty values and commas in URL

    Details

      Description

      Using following configuration:

      http.header.secure.x.frame.options.10=/web/guest/xxx, DENY
      http.header.secure.x.frame.options.11=/web/guest/test2,
      http.header.secure.x.frame.options.12=/web/guest/test, ALLOW-FROM https://i-want-to-embed-login-page
      http.header.secure.x.frame.options.13=/web/guest, ALLOW-FROM https://intranet.company.com
      http.header.secure.x.frame.options.14=/group/, DENY
      http.header.secure.x.frame.options.15=/file,with,commas/3, ALLOW-FROM https://c.s.lewis/
      

      Results don't respect the configuration.

      curl -I http://localhost:8080/web/guest/xxx
      curl -I http://localhost:8080/web/guest/test2
      curl -I http://localhost:8080/web/guest/test
      curl -I http://localhost:8080/web/guest
      curl -I http://localhost:8080/group/
      curl -I http://localhost:8080/file,with,commas/3
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              shuyang.zhou Shuyang Zhou
              Reporter:
              tomas.polesovsky Tomáš Polešovský
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                7 years, 36 weeks, 3 days ago

                  Packages

                  Version Package
                  6.1.X EE
                  6.2.0 CE RC1