From e72f6bf019e707d0fcf3a4eba7f39af28e7fa51a Mon Sep 17 00:00:00 2001
From: HappyMaarten <144103965+HappyMaarten@users.noreply.github.com>
Date: Mon, 11 Dec 2023 09:38:55 +0100
Subject: [PATCH] Added GCL Setting to suppress the X-Frame-Options SAMEORIGIN
 header (#476)

---
 .../Extensions/ConfigurationServiceCollectionExtensions.cs | 7 +++++++
 GeeksCoreLibrary/Core/Models/GclSettings.cs                | 6 ++++++
 2 files changed, 13 insertions(+)

diff --git a/GeeksCoreLibrary/Core/Extensions/ConfigurationServiceCollectionExtensions.cs b/GeeksCoreLibrary/Core/Extensions/ConfigurationServiceCollectionExtensions.cs
index a710685d..a600026d 100644
--- a/GeeksCoreLibrary/Core/Extensions/ConfigurationServiceCollectionExtensions.cs
+++ b/GeeksCoreLibrary/Core/Extensions/ConfigurationServiceCollectionExtensions.cs
@@ -201,11 +201,18 @@ public static IServiceCollection AddGclServices(this IServiceCollection services
                     {
                         options.HeaderName = "X-CSRF-TOKEN";
                         options.Cookie.Name = "CSRF-TOKEN";
+                        options.SuppressXFrameOptionsHeader = gclSettings.SuppressXFrameOptionHeader;
                     });
                 }
                 else
                 {
                     services.AddControllersWithViews().AddNewtonsoftJson();
+                    // the call to AddControllersWithViews() (or AddMvc() for that matter) will always call AddAntiforgery() no matter what, so DisableXsrfProtection might need another look
+                    // setting the XFrameOptions setting here as well makes sure this setting will always work no matter what happens with DisableXsrfProtection
+                    services.AddAntiforgery(options =>
+                    {
+                        options.SuppressXFrameOptionsHeader = gclSettings.SuppressXFrameOptionHeader;
+                    });
                 }
 
                 // Let MVC know about the GCL controllers.
diff --git a/GeeksCoreLibrary/Core/Models/GclSettings.cs b/GeeksCoreLibrary/Core/Models/GclSettings.cs
index 330e19d0..bc88d76a 100644
--- a/GeeksCoreLibrary/Core/Models/GclSettings.cs
+++ b/GeeksCoreLibrary/Core/Models/GclSettings.cs
@@ -231,6 +231,12 @@ public GclSettings()
         /// By default the GCL adds XSRF protection in the form of anti forgery tokens. To disable this functionality, set this option to <see langword="true"/>.
         /// </summary>
         public bool DisableXsrfProtection { get; set; }
+        
+        /// <summary>
+        /// Specifies whether to suppress the generation of X-Frame-Options header which is used to prevent ClickJacking.
+        /// By default, the X-Frame-Options header is generated with the value SAMEORIGIN. If this setting is 'true', the X-Frame-Options header will not be generated for the response.
+        /// </summary>
+        public bool SuppressXFrameOptionHeader { get; set; }
 
         /// <summary>
         /// In Wiser 3 we created a new templates module from scratch, which will be used by default.