Deprecate X-FRAME-OPTIONS ALLOW-FROM Directive

rwinch · rwinch · commit a907026eae73 · 2020-06-10T11:48:56.000-05:00
Closes gh-8677
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc
@@ -1034,6 +1034,10 @@ frame-options.attlist &=
 	attribute value {xsd:string}?
 frame-options.attlist &=
 	## Specify the request parameter to use for the origin when using a 'whitelist' or 'regexp' based strategy. Default is 'from'.
+	## Deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
+	## Content-Security-Policy with the
+	## <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
+	## directive.
 	attribute from-parameter {xsd:string}?
 
 
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd
@@ -3000,7 +3000,10 @@
       <xs:attribute name="from-parameter" type="xs:string">
          <xs:annotation>
             <xs:documentation>Specify the request parameter to use for the origin when using a 'whitelist' or 'regexp'
-                based strategy. Default is 'from'.
+                based strategy. Default is 'from'. Deprecated ALLOW-FROM is an obsolete directive that no
+                longer works in modern browsers. Instead use Content-Security-Policy with the &lt;a
+                href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"&gt;frame-ancestors&lt;/a&gt;
+                directive.
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
diff --git a/config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java b/config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java
@@ -52,7 +52,12 @@ public class XsdDocumentedTests {
 		"nsa-websocket-security",
 		"nsa-ldap",
 		"nsa-method-security",
-		"nsa-web");
+		"nsa-web",
+		// deprecated and for removal
+		"nsa-frame-options-strategy",
+		"nsa-frame-options-ref",
+		"nsa-frame-options-value",
+		"nsa-frame-options-from-parameter");
 
 	String referenceLocation = "../docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc";
 
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc
@@ -504,43 +504,12 @@ Default false.
 ** `DENY` The page cannot be displayed in a frame, regardless of the site attempting to do so.
 This is the default when frame-options-policy is specified.
 ** `SAMEORIGIN` The page can only be displayed in a frame on the same origin as the page itself
-** `ALLOW-FROM origin` The page can only be displayed in a frame on the specified origin.
 
 +
 
 In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site.
 On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame it is the same as the one serving the page.
 
-[[nsa-frame-options-strategy]]
-* **strategy**
-Select the `AllowFromStrategy` to use when using the ALLOW-FROM policy.
-
-** `static` Use a single static ALLOW-FROM value.
-The value can be set through the <<nsa-frame-options-value,value>> attribute.
-** `regexp` Use a regular expression to validate incoming requests and if they are allowed.
-The regular expression can be set through the <<nsa-frame-options-value,value>> attribute.
-The request parameter used to retrieve the value to validate can be specified using the <<nsa-frame-options-from-parameter,from-parameter>>.
-** `whitelist` A comma-separated list containing the allowed domains.
-The comma-separated list can be set through the <<nsa-frame-options-value,value>> attribute.
-The request parameter used to retrieve the value to validate can be specified using the <<nsa-frame-options-from-parameter,from-parameter>>.
-
-
-
-
-[[nsa-frame-options-ref]]
-* **ref**
-Instead of using one of the predefined strategies it is also possible to use a custom `AllowFromStrategy`.
-The reference to this bean can be specified through this ref attribute.
-
-
-[[nsa-frame-options-value]]
-* **value**
-The value to use when ALLOW-FROM is used a <<nsa-frame-options-strategy,strategy>>.
-
-
-[[nsa-frame-options-from-parameter]]
-* **from-parameter**
-Specify the name of the request parameter to use when using regexp or whitelist for the ALLOW-FROM strategy.
 
 
 [[nsa-frame-options-parents]]
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java
@@ -29,7 +29,12 @@
  *
  * @author Marten Deinum
  * @since 3.2
+ * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
+ * Content-Security-Policy with the
+ * <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
+ * directive.
  */
+@Deprecated
 abstract class AbstractRequestParameterAllowFromStrategy implements AllowFromStrategy {
 
 	private static final String DEFAULT_ORIGIN_REQUEST_PARAMETER = "x-frames-allow-from";
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java
@@ -23,7 +23,12 @@
  *
  * @author Marten Deinum
  * @since 3.2
+ * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
+ * Content-Security-Policy with the
+ * <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
+ * directive.
  */
+@Deprecated
 public interface AllowFromStrategy {
 
 	/**
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java
@@ -26,7 +26,12 @@
  *
  * @author Marten Deinum
  * @since 3.2
+ * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
+ * Content-Security-Policy with the
+ * <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
+ * directive.
  */
+@Deprecated
 public final class RegExpAllowFromStrategy extends
 		AbstractRequestParameterAllowFromStrategy {
 
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java
@@ -20,7 +20,13 @@
 
 /**
  * Simple implementation of the {@code AllowFromStrategy}
+ *
+ * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
+ * Content-Security-Policy with the
+ * <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
+ * directive.
  */
+@Deprecated
 public final class StaticAllowFromStrategy implements AllowFromStrategy {
 
 	private final URI uri;
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java
@@ -24,7 +24,12 @@
  *
  * @author Marten Deinum
  * @since 3.2
+ * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
+ * Content-Security-Policy with the
+ * <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
+ * directive.
  */
+@Deprecated
 public final class WhiteListedAllowFromStrategy extends
 		AbstractRequestParameterAllowFromStrategy {
 
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java
@@ -68,7 +68,13 @@ public XFrameOptionsHeaderWriter(XFrameOptionsMode frameOptionsMode) {
 	 *
 	 * @param allowFromStrategy the strategy for determining what the value for ALLOW_FROM
 	 * is.
+	 *
+	 * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
+	 * Content-Security-Policy with the
+	 * <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
+	 * directive.
 	 */
+	@Deprecated
 	public XFrameOptionsHeaderWriter(AllowFromStrategy allowFromStrategy) {
 		Assert.notNull(allowFromStrategy, "allowFromStrategy cannot be null");
 		this.frameOptionsMode = XFrameOptionsMode.ALLOW_FROM;
@@ -107,7 +113,15 @@ public void writeHeaders(HttpServletRequest request, HttpServletResponse respons
 	 * @since 3.2
 	 */
 	public enum XFrameOptionsMode {
-		DENY("DENY"), SAMEORIGIN("SAMEORIGIN"), ALLOW_FROM("ALLOW-FROM");
+		DENY("DENY"), SAMEORIGIN("SAMEORIGIN"),
+		/**
+		 * @deprecated ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use
+		 * Content-Security-Policy with the
+		 * <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">frame-ancestors</a>
+		 * directive.
+		 */
+		@Deprecated
+		ALLOW_FROM("ALLOW-FROM");
 
 		private String mode;
 
