X-FRAME-OPTIONS TO DENY

Asked

Viewed 869 times

0

I need some direction. I am developing an application where on one of the screen users are allowed to view a specific report of the page, to avoid that when clicking on the option to generate the report it was redirected to the report , I created a way to display it in a modal style dialogue. (Even the modal display part is working)

Página do Modal

<head>
    <meta http-equiv="X-FRAME-OPTIONS" content="SAMEORIGIN">
</head>

<div class="modal  fade" id="relatorios" tabindex="-1" role="dialog" th:fragment="relatorios">
    <div class="modal-dialog">
        <div class="modal-content">
            <div class="modal-header">
                <button type="button" class="close" data-dismiss="modal"><i>&times;</i></button>
            <h4 class="modal-title">Relatórios</h4>
            </div>

            <div id="modal_relatorio" class="modal-body">
                <div id="containerRelatorio"></div>
            </div>
        </div>
    </div>

    <th:block th:replace="hbs/TemplateRelatorio"></th:block>
</div>

</html>

I use a javascript to render this page with the help of handlerbars

Pegasus = Pegasus || {};

Pegasus.Relatorio = (function() {

    function Relatorio() {
        this.relatorioBtn = $('.js-relatorio-btn');
        this.containerRelatorio = $('#containerRelatorio');
        this.source = $('#template-relatorio').html();
        this.template = Handlebars.compile(this.source);
    }

    Relatorio.prototype.enable = function() {
        this.relatorioBtn.on('click', onRelatorioClicado.bind(this));

    }

    function onRelatorioClicado(evento) {
        event.preventDefault();
        var botaoClicado = $(evento.currentTarget);
        var url = botaoClicado.data('url');

        var context = {url_relatorio: url};
        var html = this.template(context);
        this.containerRelatorio.html(html);
    }
    return Relatorio;
}());

$(function() {
    var relatorio = new Pegasus.Relatorio();
    relatorio.enable();
})

Template to be rendered:

<script id="template-relatorio" type="text/x-handlebars-template">
    <iframe id="frame-relatorio" src="{{url_relatorio}}" width="568" height="440" frameborder="0"></iframe>
</script>

The only way to try my goal was using iframe, but I’m practically stuck because the error message

Refused to display 'http://localhost:8080/pegasus/relatorios/fichaIdentificacao/2018000009' in a frame because it set 'X-Frame-Options' to 'deny'.

Prevents the PDF from being displayed within the modal in question. Even with the X-FRAME-OPTIONS goal being with SAMEORIGIN in the modal header, I cannot succeed, I believe I have to put this information inside the function that generates the PDF

Function generating the PDF:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;

import br.com.pegasus.service.RelatorioService;

@Controller
@RequestMapping("/relatorios")
public class RelatoriosController {

    @Autowired
    private RelatorioService relatorioService;

    @GetMapping("/fichaIdentificacao/{registro}")
    public ResponseEntity<byte[]> gerarRelatorioFichaIdentificacao(@PathVariable("registro") String registro) throws Exception {
        byte[] relatorio = relatorioService.gerarRelatorioFichaIdentificacao(registro);

        return ResponseEntity.ok().header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_PDF_VALUE)
                .body(relatorio);
    }

}

Can someone help me to solve this problem, or some other way to display this PDF to the user?

PS: One info I forgot to add, my container is TOMCAT8

1 answer

0


As the system in question is using Spring Security, so I found the solution in this stackoverflow resolution Solution

With this just put in the settings of sprinf security:

http
   .headers()
      .frameOptions()
         .sameOrigin()
         .and()

Before the other settings I had already added, it solved the issue of FRAME to DENY.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.