Set mode of frame options to SAMEORIGIN (#2761)

#### What type of PR is this? /kind bug /area core #### What this PR does / why we need it: The problem https://github.com/halo-dev/halo/issues/2743 was introduced by https://github.com/halo-dev/halo/pull/2729. This Pr mainly resolves it by setting SAMEORIGIN mode for frame options. ![image](https://user-images.githubusercontent.com/16865714/203795956-6efec450-da5f-4222-884d-5a67cb113173.png) #### Which issue(s) this PR fixes: Fixes https://github.com/halo-dev/halo/issues/2743 #### Special notes for your reviewer: #### Does this PR introduce a user-facing change? ```release-note None ```
2022-11-24 21:39:06 +08:00 · 2022-11-24 21:39:06 +08:00 · 12fd77f61f
parent 61c7459ccf
commit 12fd77f61f
1 changed files with 4 additions and 0 deletions
--- a/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
+++ b/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
@ -1,6 +1,7 @@
 package run.halo.app.config;

 import static org.springframework.security.config.Customizer.withDefaults;
+import static org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN;

 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.jwk.JWKSet;
@ -60,6 +61,9 @@ public class WebServerSecurityConfig {
            .access(new RequestInfoAuthorizationManager(roleService))
            .pathMatchers("/**").permitAll()
            .and()
+            .headers()
+            .frameOptions().mode(SAMEORIGIN)
+            .and()
            .anonymous(anonymousSpec -> {
                anonymousSpec.authorities(AnonymousUserConst.Role);
                anonymousSpec.principal(AnonymousUserConst.PRINCIPAL);