URL 在 Header 中重写缺失的 X-Frame-Options
URL Rewrite Missing X-Frame-Options in Header
我正在使用 Tomcat 8 和 Tuckey urlrewrite 从我的网页 URL 中删除“.jsp”。它工作正常,但我注意到当 urlrewrite 从页面重定向时,响应 header 中的 X-Frame-Options 不存在。 mysite.com/Home 转换为 mysite.com/Home.jsp 但未设置 X-Frame 选项。它们是为我从 urlrewirte 中排除的所有页面设置的,例如 mysite.com/picture.png。任何指导将不胜感激。
Web.xml
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
urlrewrite.xml:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite
PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN"
"http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd">
<urlrewrite>
<rule match-type="regex">
<condition type="request-url" operator="notequal">jsp$</condition>
<condition type="request-url" operator="notequal">html$</condition>
<condition type="request-url" operator="notequal">pdf$</condition>
<condition type="request-url" operator="notequal">txt$</condition>
<condition type="request-url" operator="notequal">apk$</condition>
<condition type="request-url" operator="notequal">app$</condition>
<condition type="request-url" operator="notequal">zip$</condition>
<condition type="request-url" operator="notequal">avi$</condition>
<condition type="request-url" operator="notequal">flv$</condition>
<condition type="request-url" operator="notequal">mp4$</condition>
<condition type="request-url" operator="notequal">mov$</condition>
<condition type="request-url" operator="notequal">wmv$</condition>
<condition type="request-url" operator="notequal">mp3$</condition>
<condition type="request-url" operator="notequal">wav$</condition>
<condition type="request-url" operator="notequal">jpg$</condition>
<condition type="request-url" operator="notequal">png$</condition>
<condition type="request-url" operator="notequal">/media/.*</condition>
<condition type="request-url" operator="notequal">/css/.*</condition>
<condition type="request-url" operator="notequal">/img/.*</condition>
<condition type="request-url" operator="notequal">/js/.*</condition>
<!-- negative look foward and back expresion to foward match pages that do not end in .jsp -->
<from>/.+(?:(?!jsp).).$</from>
<to type="forward">%{request-uri}.jsp</to>
</rule>
</urlrewrite>
所以这不是 URL Rewrite 的问题,而是缺少包含 x-frame-options 的 httpSecurityHeader 过滤器的问题。添加映射“/*”后,每个文件现在都设置了 antiClickJacking 选项。以下是实现此目的的 web.xml 设置。
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我正在使用 Tomcat 8 和 Tuckey urlrewrite 从我的网页 URL 中删除“.jsp”。它工作正常,但我注意到当 urlrewrite 从页面重定向时,响应 header 中的 X-Frame-Options 不存在。 mysite.com/Home 转换为 mysite.com/Home.jsp 但未设置 X-Frame 选项。它们是为我从 urlrewirte 中排除的所有页面设置的,例如 mysite.com/picture.png。任何指导将不胜感激。
Web.xml
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
urlrewrite.xml:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite
PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN"
"http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd">
<urlrewrite>
<rule match-type="regex">
<condition type="request-url" operator="notequal">jsp$</condition>
<condition type="request-url" operator="notequal">html$</condition>
<condition type="request-url" operator="notequal">pdf$</condition>
<condition type="request-url" operator="notequal">txt$</condition>
<condition type="request-url" operator="notequal">apk$</condition>
<condition type="request-url" operator="notequal">app$</condition>
<condition type="request-url" operator="notequal">zip$</condition>
<condition type="request-url" operator="notequal">avi$</condition>
<condition type="request-url" operator="notequal">flv$</condition>
<condition type="request-url" operator="notequal">mp4$</condition>
<condition type="request-url" operator="notequal">mov$</condition>
<condition type="request-url" operator="notequal">wmv$</condition>
<condition type="request-url" operator="notequal">mp3$</condition>
<condition type="request-url" operator="notequal">wav$</condition>
<condition type="request-url" operator="notequal">jpg$</condition>
<condition type="request-url" operator="notequal">png$</condition>
<condition type="request-url" operator="notequal">/media/.*</condition>
<condition type="request-url" operator="notequal">/css/.*</condition>
<condition type="request-url" operator="notequal">/img/.*</condition>
<condition type="request-url" operator="notequal">/js/.*</condition>
<!-- negative look foward and back expresion to foward match pages that do not end in .jsp -->
<from>/.+(?:(?!jsp).).$</from>
<to type="forward">%{request-uri}.jsp</to>
</rule>
</urlrewrite>
所以这不是 URL Rewrite 的问题,而是缺少包含 x-frame-options 的 httpSecurityHeader 过滤器的问题。添加映射“/*”后,每个文件现在都设置了 antiClickJacking 选项。以下是实现此目的的 web.xml 设置。
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>