Hello,
Thanks for the info !
By the way, you can see the property useXframeOptions in definition file $NIKU_HOME/xsd/properties-2002-02.xsd :
<xsd:complexType name="webServerInstanceType">...<xsd:attribute name="useXframeOptions" type="xsd:boolean" use="optional" default="true"/>...</xsd:complexType>
I have just tested it on my version (15.3.0.2) but the trick does not seem to work anymore.
The header parameter is always written on file $NIKU_HOME/tomcat-app-deploy/conf/web.xml :
<filter id="httpHeaderSecurityFilter">
<filter-name>httpHeaderSecurityFilter</filter-name>
<filter-class>com.niku.union.web.filter.ResponseHeaders</filter-class>
<init-param id="httpHeaderSecurityFilterInitParam">
<param-name>header</param-name>
<param-value>X-FRAME-OPTIONS</param-value>
</init-param>
<init-param id="httpHeaderSecurityFilterInitParam2">
<param-name>value</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
As a workaround, I edited the following file : $NIKU_HOME/.setup/scripts/j2ee/tomcat/deploy.xml
And replaced the part with X-Frame Parameter as followed :
<apply parent="/j2ee:web-app/j2ee:filter[@id = 'httpHeaderSecurityFilter']">
<element name="filter-name" select="j2ee:filter-name">httpHeaderSecurityFilter</element>
<element name="filter-class" select="j2ee:filter-class[text() = 'com.niku.union.web.filter.ResponseHeaders']">com.niku.union.web.filter.ResponseHeaders</element>
<!--
<element name="init-param" select="j2ee:init-param[@id = 'httpHeaderSecurityFilterInitParam']">
<attribute name="id" value="httpHeaderSecurityFilterInitParam"/>
</element>
<element name="init-param" select="j2ee:init-param[@id = 'httpHeaderSecurityFilterInitParam2']">
<attribute name="id" value="httpHeaderSecurityFilterInitParam2"/>
</element>
-->
</apply>
<!--
<apply parent="/j2ee:web-app/j2ee:filter/j2ee:init-param[@id = 'httpHeaderSecurityFilterInitParam']">
<element name="param-name">header</element>
<element name="param-value">X-FRAME-OPTIONS</element>
</apply>
<apply parent="/j2ee:web-app/j2ee:filter/j2ee:init-param[@id = 'httpHeaderSecurityFilterInitParam2']">
<element name="param-name">value</element>
<element name="param-value">SAMEORIGIN</element>
</apply>
-->
The page header before change on CA PPM app service was :
Cache-Control: no-cache, no-store, must-revalidate
Cache-Control: max-age=0
Cache-Control: post-check=0, pre-check=0
Content-Encoding: gzip
Content-Length: 354
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Oct 2018 10:00:19 GMT
Server: CA PPM
X-FRAME-OPTIONS: SAMEORIGIN
After change :
Cache-Control: no-cache, no-store, must-revalidate
Cache-Control: max-age=0
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Encoding: gzip
Content-Length: 354
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Oct 2018 13:28:05 GMT
Server: CA PPM
Regards,
David
PS : I find it a bit disappointing there is no checkbox on the CSA for this feature