I have used the ClickjackFilter but I noticed that in some cases the header simply was not set on the response. I looked at the code and noticed that header is added after chain.doFilter(request, response).
This seems to be a problem at least in Tomcat 6. I moved res.addHeader("X-FRAME-OPTIONS", mode ) before chain.doFilter(request, response) and it worked fine in every case.
From ronald.p...@googlemail.com on August 17, 2012 02:41:28
I have used the ClickjackFilter but I noticed that in some cases the header simply was not set on the response. I looked at the code and noticed that header is added after chain.doFilter(request, response).
This seems to be a problem at least in Tomcat 6. I moved res.addHeader("X-FRAME-OPTIONS", mode ) before chain.doFilter(request, response) and it worked fine in every case.
There is also discussion about this on stack overflow: http://stackoverflow.com/questions/11371755/clickjacking-filter-to-add-x-frame-options-in-response I would suggest moving it before doFilter.
Best,
Ronald
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=283