From ff38870bbe210451e6d1d3abb4acef06a04185d3 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Wed, 8 Jul 2026 18:22:58 -0700 Subject: [PATCH 1/4] Eliminate X-Frame-Options setting --- .../org/labkey/api/security/AuthFilter.java | 3 --- api/src/org/labkey/api/settings/AppProps.java | 5 ----- .../org/labkey/api/settings/AppPropsImpl.java | 7 ------- .../api/settings/SiteSettingsProperties.java | 8 -------- .../labkey/api/settings/WriteableAppProps.java | 5 ----- api/src/org/labkey/api/util/ExceptionUtil.java | 2 -- .../labkey/api/view/template/PageConfig.java | 16 ---------------- core/src/org/labkey/core/CoreModule.java | 2 -- .../org/labkey/core/admin/AdminController.java | 18 ------------------ .../org/labkey/core/admin/customizeSite.jsp | 9 --------- .../org/labkey/core/login/LoginController.java | 10 ---------- .../org/labkey/core/user/UserController.java | 9 --------- .../view/template/bootstrap/pageTemplate.jsp | 3 --- 13 files changed, 97 deletions(-) diff --git a/api/src/org/labkey/api/security/AuthFilter.java b/api/src/org/labkey/api/security/AuthFilter.java index 21e2eb90061..0badfd517c0 100644 --- a/api/src/org/labkey/api/security/AuthFilter.java +++ b/api/src/org/labkey/api/security/AuthFilter.java @@ -55,7 +55,6 @@ public class AuthFilter implements Filter private static final Object FIRST_REQUEST_LOCK = new Object(); public static final String STRICT_TRANSPORT_SECURITY_HEADER_NAME = "Strict-Transport-Security"; - public static final String X_FRAME_OPTIONS_HEADER_NAME = "X-Frame-Options"; public static final String X_CONTENT_TYPE_OPTIONS_HEADER_NAME = "X-Content-Type-Options"; public static final String REFERRER_POLICY_HEADER_NAME = "Referrer-Policy"; public static final String SERVER_HEADER_NAME = "Server"; @@ -87,8 +86,6 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha if (ModuleLoader.getInstance().isStartupComplete()) { - if (!"ALLOW".equals(AppProps.getInstance().getXFrameOption())) - resp.setHeader(X_FRAME_OPTIONS_HEADER_NAME, AppProps.getInstance().getXFrameOption()); resp.setHeader(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, "nosniff"); resp.setHeader(REFERRER_POLICY_HEADER_NAME, "origin-when-cross-origin" ); diff --git a/api/src/org/labkey/api/settings/AppProps.java b/api/src/org/labkey/api/settings/AppProps.java index 1687f2cc748..3ae76372530 100644 --- a/api/src/org/labkey/api/settings/AppProps.java +++ b/api/src/org/labkey/api/settings/AppProps.java @@ -211,11 +211,6 @@ static WriteableAppProps getWriteableInstance() // configurable http security settings - /** - * @return "SAMEORIGIN" or "DENY" or "ALLOW" - */ - String getXFrameOption(); - String getStaticFilesPrefix(); boolean isWebfilesRootEnabled(); diff --git a/api/src/org/labkey/api/settings/AppPropsImpl.java b/api/src/org/labkey/api/settings/AppPropsImpl.java index 424b5ed7f3e..60b22b957fe 100644 --- a/api/src/org/labkey/api/settings/AppPropsImpl.java +++ b/api/src/org/labkey/api/settings/AppPropsImpl.java @@ -554,13 +554,6 @@ public boolean isAllowSessionKeys() return lookupBooleanValue(allowSessionKeys, false); } - @Override - public String getXFrameOption() - { - return lookupStringValue(XFrameOption, "SAMEORIGIN"); - } - - private static final String not_init = ""; private String staticFilesPrefix = not_init; diff --git a/api/src/org/labkey/api/settings/SiteSettingsProperties.java b/api/src/org/labkey/api/settings/SiteSettingsProperties.java index 0eb0a639a33..961ecb54868 100644 --- a/api/src/org/labkey/api/settings/SiteSettingsProperties.java +++ b/api/src/org/labkey/api/settings/SiteSettingsProperties.java @@ -178,14 +178,6 @@ public void setValue(WriteableAppProps writeable, String value) writeable.setAdminOnlyMessage(value); } }, - XFrameOption("Controls whether or not a browser may render a server page in a ,