cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, DENY'). Falling back to 'deny'.

Go to solution
Former Member

on ‎08-30-2017 7:45 PM

0 Kudos

We are on hybris 6.3 and experiencing this issue.

  • According to the hybris experts site (https://experts.hybris.com/questions/77868/use-of-hybris-commerce-in-iframe.html), we need to check on a settings change.

  • In a properties file, we set the following: xss.filter.header.X-Frame-Options=SAMEORIGIN

  • However, there also appears to be a setting for DENY as we see this: Refused to display 'https://theUrl/' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, DENY'). Falling back to 'deny'.

  • I can not find where else this value is set. It’s not in the Apache httpd.conf file

  • I checked with our network team to see if they do inject this setting but they said they do not.

Any ideas where the additional DENY is being set in hybris (or elsewhere)

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

tsang
Explorer
‎09-08-2017 11:24 AM

Hi William,

I was facing the exact same issue. In our case the application was updated from 5X to 6X. Hybris updated the Spring version in 6X.

So the reason for this behaviour is the default value within the Spring Security. It allows users to easily inject the default security headers to assist in protecting their application. See https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html

Within the yacceleratorstorefront storefront for example you will find the spring-security-config.xml which contains two entries for the . This will disable the application based security setting.

Unfortunately - due to the migration of existing (old) frontend - the entry is missing within our storefront. Therefore the default behaviour is DENY.

How to fix this: You have to modify your spring security XML (in the store front project) and add the following code:

 <security:headers>
             <security:frame-options disabled="true"/>
         </security:headers>
Show replies
Show replies

Answers (0)

Ask a Question