You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@PascalAlbrechtComparis you are right, this is inconsistent. On a modern browser that supports CSP, the CSP frame-ancestors 'none' will take precedence and the more permissive X-Frame-Options: SAMEORIGIN will be ignored.
This code is part of our templates, which is meant to be exactly a template or starting point for a developer to customise the way they want. So it is perfectly fine for anyone finding these values inconsistent to change them in their own code created from the template.
But our template code should not be confusing in the first place, I will look into updating the templates to use DENY.
I noticed that the
SecurityHeadersAttribute
is settingX-Frame-Options
toSAMEORIGIN
:https://github.com/DuendeSoftware/IdentityServer.Templates/blob/f1ebc1c3d408716e28869c68cbdb2f073c32ebff/src/IdentityServerEntityFramework/Pages/SecurityHeadersAttribute.cs#L26
However, based on the
Content-Security-Policy
containingframe-ancestors 'none'
, I would expectX-Frame-Options
to beDENY
:https://github.com/DuendeSoftware/IdentityServer.Templates/blob/f1ebc1c3d408716e28869c68cbdb2f073c32ebff/src/IdentityServerEntityFramework/Pages/SecurityHeadersAttribute.cs#L30
Could you check if this is unintentional?
The text was updated successfully, but these errors were encountered: