. Advertisement .
..3..
. Advertisement .
..4..
A strong and incredibly configurable framework for access control and authentication is called Spring Security. In terms of protecting Spring-based apps, it is the de facto standard. A framework called Spring Security is dedicated to giving Java applications authentication and authorisation. Like all Spring projects, Spring Security’s main strength lies in how easily it can be customized to fit specific requirements. “Refused to display in a frame because it set ‘x-frame-options‘ to ‘deny‘” is a common error when you use Spring security in your application. In this blog, we will suggest you the best solutions to fix this error. Let’s read it to get more knowledge!
When Does The Error “Refused to display in a frame because it set ‘x-frame-options‘ to ‘deny‘” Happen?
When you utilize a URL in any frames in the external or the same applications, you will get the error:
Refused to display <url> in a frame because it set ‘x-frame-options’ to ‘deny’
The default headers include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
The following Security HTTP headers are included by default with Spring Security. The value of X-Frame-Options in the HTTP security headers by default is DENY. This indicates that no frames or iframes may include the application URI. Therefore, you get the error “refused to display <url> in a frame because it set ‘x-frame-options’ to ‘deny’”.
How To Solve The Error “Refused to display <url> in a frame because it set ‘x-frame-options’ to ‘deny’”
Method 1: Utilize the Content-Security-Policy configuration
The first solution we suggest you to solve the error “Refused to display <url> in a frame because it set ‘x-frame-options’ to ‘deny’” is utilizing the Content-Security-Policy
configuration.
Only applications with the same domain/origin may be included in frames with this configuration. You can put up a Content-Security-Policy with frame-ancestors to permit including in frames across various domains. Look at the following example to further understand about this solution:
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.headers().frameOptions().and().contentSecurityPolicy("frame-ancestors 'self' https://ittutoria.net https://*.ittutoria.net").and().and()
. // more config
}
For the X-Frame-Options headers, you can also utilize the HeaderWriter implementation.
http.headers().frameOptions().and(). ((new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM https://ittutoria.net")))) addHeaderWriter))
When employing the ALLOW-FROM directive, an AllowFromStrategy determines the actual value. Please take note that ALLOW-FROM is an outdated directive that is ineffective in current browsers. Use the Content-Security-Policy instead, together with the frame-ancestors directive, as demonstrated in the example above. Consult this documentation.
Method 2: Change X-Frame-Options to SAMEORIGIN
Another method for you is changing X-Frame-Options to SAMEORIGIN.
The example below shows how to set the X-Frame-Options value in the http security header to SAMEORIGIN. This indicates that the URL you provided can be used in any frame or iframe within the same application. Let’s consider it:
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.headers().frameOptions().sameOrigin().and()
. // more config
}
Method 3: Make a server side proxy script
Even though the external website’s x-frame option is set to reject, there is a way to load an external website into an iFrame. Making a server side proxy script will allow you to solve the “Refused to display <url> in a frame because it set ‘x-frame-options’ to ‘deny’” issue while trying to load another website inside an iFrame.
Method 4: Old-style XML
Old-style XML is a great solution for you to solve the error “Refused to display <url> in a frame because it set ‘x-frame-options’ to ‘deny’”. The frame-options element allows you to modify X-Frame-Options. The sample below will tell Spring Security to use the SAMEORIGIN X-Frame-Option, which permits iframes inside the same domain.
<http>
<!-- ... -->
<headers>
<frame-options
policy="SAMEORIGIN" />
</headers>
</http>
The above solutions are very easy and simple, aren’t they? However, their efficiencies are very enormous. They will help you resolve your error and make your program work well without any errors. So, what are you waiting without applying them for your error to get your desired results.
Conclusion
“Refused to display <url> in a frame because it set ‘x-frame-options’ to ‘deny’” is a confusing problem. We hope this blog will help clear the air around how to resolve it. If you have more questions about this topic, please comment below. Thank you for reading, we are always excited when one of our posts can provide useful information on a topic like this!
Read more:
→ Fixing ”Refused to display in a frame because it set ‘X-Frame-Options’ to ‘SAMEORIGIN”’ Error
→ Tips On Solving The Error: “URL scheme “webpack-internal” is not supported in nextjs”
Leave a comment