Skip to content

Commit f06e800

Browse files
therepanictherepanic
committed
Remove AllowFromStrategy in favor of ContentSecurityPolicy
Closes gh-17307 Signed-off-by: Andrey Litvitski <[email protected]>
1 parent e686ac6 commit f06e800

File tree

13 files changed

+12
-795
lines changed

13 files changed

+12
-795
lines changed

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.java

Lines changed: 1 addition & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2022 the original author or authors.
2+
* Copyright 2002-2025 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
1616

1717
package org.springframework.security.config.annotation.web.configurers;
1818

19-
import java.net.URI;
2019
import java.util.Collections;
2120
import java.util.LinkedHashMap;
2221
import java.util.Map;
@@ -35,8 +34,6 @@
3534
import org.springframework.security.web.SecurityFilterChain;
3635
import org.springframework.security.web.header.writers.StaticHeadersWriter;
3736
import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
38-
import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy;
39-
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
4037
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
4138
import org.springframework.test.web.servlet.MockMvc;
4239
import org.springframework.test.web.servlet.ResultMatcher;
@@ -102,13 +99,6 @@ public void requestWhenFrameOptionsSameOriginThenBehaviorMatchesNamespace() thro
10299
this.mvc.perform(get("/")).andExpect(includes(Collections.singletonMap("X-Frame-Options", "SAMEORIGIN")));
103100
}
104101

105-
@Test
106-
public void requestWhenFrameOptionsAllowFromThenBehaviorMatchesNamespace() throws Exception {
107-
this.spring.register(FrameOptionsAllowFromConfig.class).autowire();
108-
this.mvc.perform(get("/"))
109-
.andExpect(includes(Collections.singletonMap("X-Frame-Options", "ALLOW-FROM https://example.com")));
110-
}
111-
112102
@Test
113103
public void requestWhenXssOnlyThenBehaviorMatchesNamespace() throws Exception {
114104
this.spring.register(XssProtectionConfig.class).autowire();
@@ -243,25 +233,6 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
243233

244234
}
245235

246-
@Configuration
247-
@EnableWebSecurity
248-
static class FrameOptionsAllowFromConfig {
249-
250-
@Bean
251-
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
252-
// @formatter:off
253-
http
254-
.headers((headers) -> headers
255-
// frame-options@ref
256-
.defaultsDisabled()
257-
.addHeaderWriter(new XFrameOptionsHeaderWriter(
258-
new StaticAllowFromStrategy(URI.create("https://example.com")))));
259-
return http.build();
260-
// @formatter:on
261-
}
262-
263-
}
264-
265236
@Configuration
266237
@EnableWebSecurity
267238
static class XssProtectionConfig {

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java

Lines changed: 0 additions & 81 deletions
This file was deleted.

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java

Lines changed: 0 additions & 44 deletions
This file was deleted.

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java

Lines changed: 0 additions & 55 deletions
This file was deleted.

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java

Lines changed: 0 additions & 45 deletions
This file was deleted.

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java

Lines changed: 0 additions & 52 deletions
This file was deleted.

0 commit comments

Comments
 (0)