From e72f6bf019e707d0fcf3a4eba7f39af28e7fa51a Mon Sep 17 00:00:00 2001
From: HappyMaarten <144103965+HappyMaarten@users.noreply.github.com>
Date: Mon, 11 Dec 2023 09:38:55 +0100
Subject: [PATCH] Added GCL Setting to suppress the X-Frame-Options SAMEORIGIN
header (#476)
---
.../Extensions/ConfigurationServiceCollectionExtensions.cs | 7 +++++++
GeeksCoreLibrary/Core/Models/GclSettings.cs | 6 ++++++
2 files changed, 13 insertions(+)
diff --git a/GeeksCoreLibrary/Core/Extensions/ConfigurationServiceCollectionExtensions.cs b/GeeksCoreLibrary/Core/Extensions/ConfigurationServiceCollectionExtensions.cs
index a710685d..a600026d 100644
--- a/GeeksCoreLibrary/Core/Extensions/ConfigurationServiceCollectionExtensions.cs
+++ b/GeeksCoreLibrary/Core/Extensions/ConfigurationServiceCollectionExtensions.cs
@@ -201,11 +201,18 @@ public static IServiceCollection AddGclServices(this IServiceCollection services
{
options.HeaderName = "X-CSRF-TOKEN";
options.Cookie.Name = "CSRF-TOKEN";
+ options.SuppressXFrameOptionsHeader = gclSettings.SuppressXFrameOptionHeader;
});
}
else
{
services.AddControllersWithViews().AddNewtonsoftJson();
+ // the call to AddControllersWithViews() (or AddMvc() for that matter) will always call AddAntiforgery() no matter what, so DisableXsrfProtection might need another look
+ // setting the XFrameOptions setting here as well makes sure this setting will always work no matter what happens with DisableXsrfProtection
+ services.AddAntiforgery(options =>
+ {
+ options.SuppressXFrameOptionsHeader = gclSettings.SuppressXFrameOptionHeader;
+ });
}
// Let MVC know about the GCL controllers.
diff --git a/GeeksCoreLibrary/Core/Models/GclSettings.cs b/GeeksCoreLibrary/Core/Models/GclSettings.cs
index 330e19d0..bc88d76a 100644
--- a/GeeksCoreLibrary/Core/Models/GclSettings.cs
+++ b/GeeksCoreLibrary/Core/Models/GclSettings.cs
@@ -231,6 +231,12 @@ public GclSettings()
/// By default the GCL adds XSRF protection in the form of anti forgery tokens. To disable this functionality, set this option to .
///
public bool DisableXsrfProtection { get; set; }
+
+ ///
+ /// Specifies whether to suppress the generation of X-Frame-Options header which is used to prevent ClickJacking.
+ /// By default, the X-Frame-Options header is generated with the value SAMEORIGIN. If this setting is 'true', the X-Frame-Options header will not be generated for the response.
+ ///
+ public bool SuppressXFrameOptionHeader { get; set; }
///
/// In Wiser 3 we created a new templates module from scratch, which will be used by default.