解决Tomcat配置“X-Frame-Options头未设置”警告的过滤器

参考：黑夜的风

 

package com.xx.xx.service;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class XFrameOptionsHeaderFilter implements Filter {

    public XFrameOptionsHeaderFilter() {
    }

    public void init(FilterConfig config) throws ServletException {
    }

    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
        //必须
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) resp;
        //实际设置
        response.setHeader("x-frame-options", "SAMEORIGIN");
        chain.doFilter(req, resp);
    }

    public void destroy() {
    }

}

 

在xml中加入

<!-- 配置Filter -->

<filter>
    <filter-name>XFrameOptionsHeaderFilter</filter-name>
    <filter-class>com.xx.xx.service.XFrameOptionsHeaderFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>XFrameOptionsHeaderFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

 

 效果如下

内嵌页面也打不开了

 

 

如果配置  allow-from 

参考：https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives 

 

chrome和Safari 是不支持的。

 需要加入

response.setHeader("Content-Security-Policy", "frame-ancestors "+address); //针对safi和chrome

 

如下图（第三行是设置httponly属性，参考：https://blog.csdn.net/zhaifengmin/article/details/54232630  ）

 

至此问题解决！