X-Frame-Options DENY


Hi All,
I have been trying to display associated form of task under embedded.html (within an iframe), but with no luck, getting X-Frame-Options set to DENY error.
Edoras one is deployed on tomcat 8.5, And have tried to make httpHeaderSecurity configuration changes in web.xml such as antiClickJackingEnabled = false, or antiClickJackingEnabled = true with antiClickJackingOption = ALLOW, does not have any impact on X-Frame-Options for edoras responses, it still comes as DENY.

Can you please help me to understand or route me to correct config file where these settings can be done, and X-Frame-Options can be changed.

Best Regards


Hi Tanveer.

This could be a security feature introduced for the public REST API with edoras one 2.0. If you used the unofficial public REST API addon with version 1.6, CORS (https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) was enabled by default and configured to allow all origins by default.

As this is quite a security issue this has been changed since 2.0. CORS is now deactivated with version 2.0 and does not allow access from servers others than the origin server.

You can reenable CORS and set the allowed origins (you should not use *) by using edoras one configuration properties. If you use YAML files as a configuration option you can use the following settings:


# Boolean property to enable or disable CORS for the rest api used by the UI.
    enabled: true

# A path into the application that should handle CORS requests. Exact path mapping URIs (such as "/admin") are supported as well as Ant-stype path patterns (such as /admin/**).
    path: /**

# Comma-separated list of HTTP methods to allow, e.g. "GET, POST". The special value "*" allows all method.
    allowed-methods: "*"

# Comma-separated list of headers that a pre-flight request can list as allowed for use during an actual request. The special value of "*" allows actual requests to send any header.
    allowed-headers: "*"

# Comma-separated list of origins to allow, e.g. "http://domain1.com, http://domain2.com". The special value "*" allows all domains.
    allowed-origins: "*"

# Whether user credentials are supported.
    allow-credentials: true

# Comma-separated list of response headers other than simple headers (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma) that an actual response might have and can be exposed.

# How long, in seconds, the response from a pre-flight request can be cached by clients.
    max-age: 1800


This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.