Package org.springframework.security.web.header.writers.frameoptions

Class XFrameOptionsHeaderWriter

java.lang.Object

org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter

All Implemented Interfaces:

HeaderWriter

public final class XFrameOptionsHeaderWriter
extends Object
implements HeaderWriter

HeaderWriter implementation for the X-Frame-Options headers. When using the ALLOW-FROM directive the actual value is determined by a AllowFromStrategy.

Since:

3.2

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static enum	XFrameOptionsHeaderWriter.XFrameOptionsMode	The possible values for the X-Frame-Options header.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	XFRAME_OPTIONS_HEADER

Constructor Summary

Constructors

Constructor	Description
XFrameOptionsHeaderWriter()	Creates an instance with XFrameOptionsHeaderWriter.XFrameOptionsMode.DENY
XFrameOptionsHeaderWriter(AllowFromStrategy allowFromStrategy)	Deprecated. ALLOW-FROM is an obsolete directive that no longer works in modern browsers.
XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode frameOptionsMode)	Creates a new instance

Method Summary

Modifier and Type	Method	Description
void	writeHeaders(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)	Writes the X-Frame-Options header value, overwritting any previous value.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

XFRAME_OPTIONS_HEADER

public static final String XFRAME_OPTIONS_HEADER

See Also:

• Constant Field Values

Constructor Details

XFrameOptionsHeaderWriter

public XFrameOptionsHeaderWriter()

Creates an instance with XFrameOptionsHeaderWriter.XFrameOptionsMode.DENY

XFrameOptionsHeaderWriter

public XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode frameOptionsMode)

Creates a new instance

Parameters:

frameOptionsMode - the XFrameOptionsHeaderWriter.XFrameOptionsMode to use. If using XFrameOptionsHeaderWriter.XFrameOptionsMode.ALLOW_FROM, use Content-Security-Policy with the frame-ancestors directive instead.

XFrameOptionsHeaderWriter

@Deprecated
public XFrameOptionsHeaderWriter(AllowFromStrategy allowFromStrategy)

Deprecated.

ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.

Creates a new instance with XFrameOptionsHeaderWriter.XFrameOptionsMode.ALLOW_FROM.

Parameters:

allowFromStrategy - the strategy for determining what the value for ALLOW_FROM is.

See Also:

• AllowFromStrategy

Method Details

writeHeaders

public void writeHeaders(jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response)

Writes the X-Frame-Options header value, overwritting any previous value.

Specified by:

writeHeaders in interface HeaderWriter

Parameters:

request - the servlet request

response - the servlet response