svn commit: r1742919 - in /tomcat/trunk: java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java webapps/docs/changelog.xml

Mon, 09 May 2016 04:14:28 -0700 

Author: violetagg
Date: Mon May  9 11:14:06 2016
New Revision: 1742919

URL: http://svn.apache.org/viewvc?rev=1742919&view=rev
Log:
Ensure that the value for the header X-Frame-Options is constructed correctly 
according to the spec when ALLOW-FROM option is used:
X-Frame-Options = "DENY"
                   / "SAMEORIGIN"
                   / ( "ALLOW-FROM" RWS SERIALIZED-ORIGIN )

RWS             = 1*( SP / HTAB )
                ; required whitespace

Modified:
    tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?rev=1742919&r1=1742918&r2=1742919&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java 
Mon May  9 11:14:06 2016
@@ -77,7 +77,7 @@ public class HttpHeaderSecurityFilter ex
         // Anti click-jacking
         StringBuilder cjValue = new 
StringBuilder(antiClickJackingOption.headerValue);
         if (antiClickJackingOption == XFrameOption.ALLOW_FROM) {
-            cjValue.append(':');
+            cjValue.append(' ');
             cjValue.append(antiClickJackingUri);
         }
         antiClickJackingHeaderValue = cjValue.toString();

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1742919&r1=1742918&r2=1742919&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon May  9 11:14:06 2016
@@ -199,6 +199,11 @@
         Java 8 onwards and Tomcat 9 requires Java 8 so the option is
         unnecessary. (markt)
       </scode>
+      <fix>
+        Ensure that the value for the header <code>X-Frame-Options</code> is
+        constructed correctly according to the specification when
+        <code>ALLOW-FROM</code> option is used. (violetagg)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to