Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 75BEC2004C8 for ; Mon, 9 May 2016 13:22:12 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 7457116098A; Mon, 9 May 2016 11:22:12 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 959611601D4 for ; Mon, 9 May 2016 13:22:11 +0200 (CEST) Received: (qmail 68992 invoked by uid 500); 9 May 2016 11:22:10 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 68982 invoked by uid 99); 9 May 2016 11:22:10 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 May 2016 11:22:10 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 40A23C0D5B for ; Mon, 9 May 2016 11:22:10 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.279 X-Spam-Level: X-Spam-Status: No, score=-0.279 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-2.079] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 9OXmVf8fe9qj for ; Mon, 9 May 2016 11:22:09 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 0C7F15F475 for ; Mon, 9 May 2016 11:22:09 +0000 (UTC) Received: from svn01-us-west.apache.org (svn.apache.org [10.41.0.6]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 31F7FE0239 for ; Mon, 9 May 2016 11:22:08 +0000 (UTC) Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id D2AC83A043C for ; Mon, 9 May 2016 11:22:07 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1742923 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java webapps/docs/changelog.xml Date: Mon, 09 May 2016 11:22:07 -0000 To: dev@tomcat.apache.org From: violetagg@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20160509112207.D2AC83A043C@svn01-us-west.apache.org> archived-at: Mon, 09 May 2016 11:22:12 -0000 Author: violetagg Date: Mon May 9 11:22:07 2016 New Revision: 1742923 URL: http://svn.apache.org/viewvc?rev=1742923&view=rev Log: Merged revision 1742919 from tomcat/trunk: Ensure that the value for the header X-Frame-Options is constructed correctly according to the spec when ALLOW-FROM option is used: X-Frame-Options = "DENY" / "SAMEORIGIN" / ( "ALLOW-FROM" RWS SERIALIZED-ORIGIN ) RWS = 1*( SP / HTAB ) ; required whitespace Modified: tomcat/tc8.5.x/trunk/ (props changed) tomcat/tc8.5.x/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc8.5.x/trunk/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Mon May 9 11:22:07 2016 @@ -1 +1 @@ -/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501,1741677 ,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512 +/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501,1741677 ,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742919 Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?rev=1742923&r1=1742922&r2=1742923&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java Mon May 9 11:22:07 2016 @@ -77,7 +77,7 @@ public class HttpHeaderSecurityFilter ex // Anti click-jacking StringBuilder cjValue = new StringBuilder(antiClickJackingOption.headerValue); if (antiClickJackingOption == XFrameOption.ALLOW_FROM) { - cjValue.append(':'); + cjValue.append(' '); cjValue.append(antiClickJackingUri); } antiClickJackingHeaderValue = cjValue.toString(); Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1742923&r1=1742922&r2=1742923&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Mon May 9 11:22:07 2016 @@ -182,6 +182,11 @@ 7 onwards and Tomcat 8 requires Java 7 so the option is unnecessary. (markt) + + Ensure that the value for the header X-Frame-Options is + constructed correctly according to the specification when + ALLOW-FROM option is used. (violetagg) + --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org