exec "$_RUNJAVA" $JAVA_OPTS $MARLIN_ENABLER -DGEOSERVER_DATA_DIR="$GEOSERVER_DATA_DIR" -Dgeoserver.xframe.shouldSetPolicy=false -Djava.awt.headless=true -DSTOP.PORT=8079 -DSTOP.KEY=geoserver -jar start.jar I'm developing a map application using Geoserver to host my layers and data. One of my goals is that when a point in the map was clicked, an iframe appears showing some information about the same point. When I realize it on my application the iframe is blocked, X-Frame-Options to SAMEORIGIN is the error. DId someone know how can I avoid it?
The Geoserver documentation has the solution, but the way I applied it had no effect on the application. https://docs.geoserver.org/latest/en/user/production/config.html
This is my exec line in start.sh that should set policy to false.
This is easy to fix by following the suggestions in the GeoServer docs.
You need to set either the geoserver.xframe.shouldSetPolicy variable to false to turn off X-Frame denial or geoserver.xframe.policy to "ALLOW-FROM [uri]" where uri is the location of your iFrame.
add it to the web.xml file:
<context-param>
<param-name>geoserver.xframe.policy</param-name>
<param-value>ALLOW-FROM http://example.com </param-value>
</context-param>
add it to the CATALINA_OPTS or exec line in startup.sh or startup.bat using the -D form.
-Dgeoserver.xframe.shouldSetPolicy=false
add it as a system variable (for the user running tomcat or jetty).
export geoserver.xframe.shouldSetPolicy=false set geoserver.xframe.shouldSetPolicy=false
You can then easily test this is working by running a simple curl request:
First with non of the above:
curl -v http://localhost:8080/geoserver/web
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /geoserver/web HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 302
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: JSESSIONID=F844AFA320C4F711807759A2BEC96625.route1; Path=/geoserver; HttpOnly
< Location: /geoserver/web/;jsessionid=F844AFA320C4F711807759A2BEC96625.route1
< Content-Length: 0
< Date: Tue, 29 Jan 2019 11:15:49 GMT
<
* Connection #0 to host localhost left intact
Then with the policy set:
curl -v http://localhost:8085/geoserver/web
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8085 (#0)
> GET /geoserver/web HTTP/1.1
> Host: localhost:8085
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 302 Found
< X-Frame-Options: ALLOW-FROM http://example.com
< Set-Cookie: JSESSIONID=node010koqik22omjt1b1wbqewjrmcl0.node0;Path=/geoserver
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://localhost:8085/geoserver/web/;jsessionid=node010koqik22omjt1b1wbqewjrmcl0.node0
< Content-Length: 0
< Server: Jetty(9.4.12.v20180830)
<
* Connection #0 to host localhost left intact
and finally with the XFrame turned off:
curl -v http://localhost:8085/geoserver/web
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8085 (#0)
> GET /geoserver/web HTTP/1.1
> Host: localhost:8085
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Set-Cookie: JSESSIONID=node01pdyu4npf3xt6130w8gehjai7t0.node0;Path=/geoserver
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://localhost:8085/geoserver/web/;jsessionid=node01pdyu4npf3xt6130w8gehjai7t0.node0
< Content-Length: 0
< Server: Jetty(9.4.12.v20180830)
<
* Connection #0 to host localhost left intact