added same origin x-frame-options header security config (#1207)

Signed-off-by: Bogdan Bondar <Bogdan.Bondar@bosch.io>
2021-12-06 10:08:45 +01:00
parent 146735012a
commit 7cc89d6291
1 changed files with 7 additions and 2 deletions
--- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java
+++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java
@@ -653,7 +653,9 @@ public class SecurityManagedConfiguration {
        }

        /**
-         * Overwriting VaadinAuthenticationSuccessHandler of default VaadinSharedSecurityConfiguration
+         * Overwriting VaadinAuthenticationSuccessHandler of default
+         * VaadinSharedSecurityConfiguration
+         * 
         * @return the vaadin success authentication handler
         */
        @Primary
@@ -696,6 +698,9 @@ public class SecurityManagedConfiguration {
            }
            // disable as CSRF is handled by Vaadin
            httpSec.csrf().disable();
+            // allow same origin X-Frame-Options for correct file download under
+            // Safari
+            httpSec.headers().frameOptions().sameOrigin();

            if (hawkbitSecurityProperties.isRequireSsl()) {
                httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
@@ -762,7 +767,7 @@ public class SecurityManagedConfiguration {
                    return new FirewalledRequest(request) {
                        @Override
                        public void reset() {
-                            //nothing to do
+                            // nothing to do
                        }
                    };
                }