Merge branch 'main' into develop

GeeksCoreLibrary/Core/Extensions/ConfigurationServiceCollectionExtensions.cs

@@ -201,11 +201,18 @@ public static IServiceCollection AddGclServices(this IServiceCollection services
  {
  options.HeaderName = "X-CSRF-TOKEN";
  options.Cookie.Name = "CSRF-TOKEN";
+ options.SuppressXFrameOptionsHeader = gclSettings.SuppressXFrameOptionHeader;
  });
  }
  else
  {
  services.AddControllersWithViews().AddNewtonsoftJson();
+ // the call to AddControllersWithViews() (or AddMvc() for that matter) will always call AddAntiforgery() no matter what, so DisableXsrfProtection might need another look
+ // setting the XFrameOptions setting here as well makes sure this setting will always work no matter what happens with DisableXsrfProtection
+ services.AddAntiforgery(options =>
+ {
+ options.SuppressXFrameOptionsHeader = gclSettings.SuppressXFrameOptionHeader;
+ });
  }
 
  // Let MVC know about the GCL controllers.

GeeksCoreLibrary/Core/Models/GclSettings.cs

@@ -231,6 +231,12 @@ public GclSettings()
  /// By default the GCL adds XSRF protection in the form of anti forgery tokens. To disable this functionality, set this option to <see langword="true"/>.
  /// </summary>
  public bool DisableXsrfProtection { get; set; }
+
+ /// <summary>
+ /// Specifies whether to suppress the generation of X-Frame-Options header which is used to prevent ClickJacking.
+ /// By default, the X-Frame-Options header is generated with the value SAMEORIGIN. If this setting is 'true', the X-Frame-Options header will not be generated for the response.
+ /// </summary>
+ public bool SuppressXFrameOptionHeader { get; set; }
 
  /// <summary>
  /// In Wiser 3 we created a new templates module from scratch, which will be used by default.