spring-projects · therepanic · Jun 25, 2025
diff --git a/...springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.java b/...springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 
 package org.springframework.security.config.annotation.web.configurers;
 
-import java.net.URI;
 import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -35,8 +34,6 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.header.writers.StaticHeadersWriter;
 import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
-import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy;
-import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultMatcher;
@@ -102,13 +99,6 @@ public void requestWhenFrameOptionsSameOriginThenBehaviorMatchesNamespace() thro
 		this.mvc.perform(get("/")).andExpect(includes(Collections.singletonMap("X-Frame-Options", "SAMEORIGIN")));
 	}
 
-	@Test
-	public void requestWhenFrameOptionsAllowFromThenBehaviorMatchesNamespace() throws Exception {
-		this.spring.register(FrameOptionsAllowFromConfig.class).autowire();
-		this.mvc.perform(get("/"))
-			.andExpect(includes(Collections.singletonMap("X-Frame-Options", "ALLOW-FROM https://example.com")));
-	}
-
 	@Test
 	public void requestWhenXssOnlyThenBehaviorMatchesNamespace() throws Exception {
 		this.spring.register(XssProtectionConfig.class).autowire();
@@ -243,25 +233,6 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
 	}
 
-	@Configuration
-	@EnableWebSecurity
-	static class FrameOptionsAllowFromConfig {
-
-		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			// @formatter:off
-			http
-				.headers((headers) -> headers
-					// frame-options@ref
-					.defaultsDisabled()
-					.addHeaderWriter(new XFrameOptionsHeaderWriter(
-						new StaticAllowFromStrategy(URI.create("https://example.com")))));
-			return http.build();
-			// @formatter:on
-		}
-
-	}
-
 	@Configuration
 	@EnableWebSecurity
 	static class XssProtectionConfig {

diff --git a/...k/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java b/...k/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java
diff --git a/.../java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java b/.../java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java
diff --git a/...org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java b/...org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java
diff --git a/...org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java b/...org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java
diff --git a/...pringframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java b/...pringframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java