Merge pull request #1389 from DuendeSoftware/anders/x-frame-deny

Consistent X-Frame-Options/CSP
DuendeSoftware · Aug 8, 2023 · df2b00b · df2b00b
2 parents cc97ac2 + 1c0220d
commit df2b00b
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/hosts/AspNetIdentity/Pages/SecurityHeadersAttribute.cs b/hosts/AspNetIdentity/Pages/SecurityHeadersAttribute.cs
@@ -24,7 +24,7 @@ public override void OnResultExecuting(ResultExecutingContext context)
             // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
             if (!context.HttpContext.Response.Headers.ContainsKey("X-Frame-Options"))
             {
-                context.HttpContext.Response.Headers.Append("X-Frame-Options", "SAMEORIGIN");
+                context.HttpContext.Response.Headers.Append("X-Frame-Options", "DENY");
             }
 
             // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

diff --git a/hosts/Configuration/Pages/SecurityHeadersAttribute.cs b/hosts/Configuration/Pages/SecurityHeadersAttribute.cs
@@ -24,7 +24,7 @@ public override void OnResultExecuting(ResultExecutingContext context)
             // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
             if (!context.HttpContext.Response.Headers.ContainsKey("X-Frame-Options"))
             {
-                context.HttpContext.Response.Headers.Append("X-Frame-Options", "SAMEORIGIN");
+                context.HttpContext.Response.Headers.Append("X-Frame-Options", "DENY");
             }
 
             // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

diff --git a/hosts/EntityFramework/Pages/SecurityHeadersAttribute.cs b/hosts/EntityFramework/Pages/SecurityHeadersAttribute.cs
@@ -24,7 +24,7 @@ public override void OnResultExecuting(ResultExecutingContext context)
             // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
             if (!context.HttpContext.Response.Headers.ContainsKey("X-Frame-Options"))
             {
-                context.HttpContext.Response.Headers.Append("X-Frame-Options", "SAMEORIGIN");
+                context.HttpContext.Response.Headers.Append("X-Frame-Options", "DENY");
             }
 
             // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

diff --git a/hosts/main/Pages/SecurityHeadersAttribute.cs b/hosts/main/Pages/SecurityHeadersAttribute.cs
@@ -24,7 +24,7 @@ public override void OnResultExecuting(ResultExecutingContext context)
             // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
             if (!context.HttpContext.Response.Headers.ContainsKey("X-Frame-Options"))
             {
-                context.HttpContext.Response.Headers.Append("X-Frame-Options", "SAMEORIGIN");
+                context.HttpContext.Response.Headers.Append("X-Frame-Options", "DENY");
             }
 
             // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy