From 7cc89d6291ca0b6d48243956ad7a76299d61d8a1 Mon Sep 17 00:00:00 2001 From: Bondar Bogdan <36962546+bogdan-bondar@users.noreply.github.com> Date: Mon, 6 Dec 2021 10:08:45 +0100 Subject: [PATCH] added same origin x-frame-options header security config (#1207) Signed-off-by: Bogdan Bondar --- .../security/SecurityManagedConfiguration.java | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java index c8b6f8794..843a8fdf4 100644 --- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java +++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java @@ -653,7 +653,9 @@ public class SecurityManagedConfiguration { } /** - * Overwriting VaadinAuthenticationSuccessHandler of default VaadinSharedSecurityConfiguration + * Overwriting VaadinAuthenticationSuccessHandler of default + * VaadinSharedSecurityConfiguration + * * @return the vaadin success authentication handler */ @Primary @@ -696,6 +698,9 @@ public class SecurityManagedConfiguration { } // disable as CSRF is handled by Vaadin httpSec.csrf().disable(); + // allow same origin X-Frame-Options for correct file download under + // Safari + httpSec.headers().frameOptions().sameOrigin(); if (hawkbitSecurityProperties.isRequireSsl()) { httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and(); @@ -762,7 +767,7 @@ public class SecurityManagedConfiguration { return new FirewalledRequest(request) { @Override public void reset() { - //nothing to do + // nothing to do } }; }