fix: restore X-Frame-Options: none on /session and /session_management#3922
Merged
Conversation
The uaa-singular library embeds /session and /session_management in a cross-origin hidden iframe (opFrame) to drive OIDC session management via postMessage. When browsers see X-Frame-Options: DENY they refuse to render the page, so the postMessage handler never runs and the onLogout callback is never invoked. Add two MockMvc tests that assert the header is absent on those endpoints. They will fail until the Spring Boot 3.4.6 regression (9954dda) is corrected.
…ints During the Spring Boot 3.4.6 upgrade (9954dda) the noSecurityFilters SecurityFilterChain had its explicit frameOptions().disable() mistakenly replaced with frameOptions(withDefaults()), which defaults to DENY. The /session and /session_management endpoints must be embeddable in cross-origin iframes: the uaa-singular OIDC Session Management library loads them inside a hidden opFrame and communicates the session state back to the RP via postMessage. X-Frame-Options: DENY prevents the browser from rendering the iframe, so the onLogout callback is never invoked. Restore the previous behaviour by passing AbstractHttpConfigurer::disable (the correct Spring Security 6 equivalent of the old .disable() call).
cf-foundation-community-automation
Bot
moved this to Inbox
in Foundational Infrastructure Working Group
duanemay
previously approved these changes
May 24, 2026
github-project-automation
Bot
moved this from Inbox
to Pending Merge | Prioritized
in Foundational Infrastructure Working Group
duanemay
approved these changes
May 26, 2026
github-project-automation
Bot
moved this from Pending Merge | Prioritized
to Done
in Foundational Infrastructure Working Group
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Green test run at https://bosh.ci.cloudfoundry.org/teams/uaa/pipelines/pull-requests/jobs/uaa-singular-tests/builds/259
fix: restore X-Frame-Options: none on /session and /session_management
The uaa-singular OIDC Session Management library implements logout detection by loading
/session_management(and the legacy/session) inside a hidden cross-origin iframe called the opFrame. The embedded page posts the user's current session state back to the RP viawindow.postMessage. When the browser seesX-Frame-Options: DENYit refuses to render the iframe, so thepostMessagehandler never fires and theonLogoutcallback is never invoked — breaking silent logout for every application that integrates uaa-singular.The regression was introduced by commit 9954dda ("Upgrade to Spring Boot 3.4.6"). The
noSecurityFiltersSecurityFilterChain, which covers the no-auth endpoints including/sessionand/session_management, previously called.frameOptions().disable()to suppress the header on those paths. During the Spring Boot 3.4 migration the call was rewritten as.frameOptions(withDefaults()), which resolves toDENY— the opposite of the intended behaviour.The two new
SessionControllerMockMvcTestsassertions (header().doesNotExist("X-Frame-Options")) guard against this class of regression recurring.