Inconsistent X-Frame-Options Header

[PascalAlbrechtComparis]

I noticed that the SecurityHeadersAttribute is setting X-Frame-Options to SAMEORIGIN:
https://github.com/DuendeSoftware/IdentityServer.Templates/blob/f1ebc1c3d408716e28869c68cbdb2f073c32ebff/src/IdentityServerEntityFramework/Pages/SecurityHeadersAttribute.cs#L26
However, based on the Content-Security-Policy containing frame-ancestors 'none', I would expect X-Frame-Options to be DENY:
https://github.com/DuendeSoftware/IdentityServer.Templates/blob/f1ebc1c3d408716e28869c68cbdb2f073c32ebff/src/IdentityServerEntityFramework/Pages/SecurityHeadersAttribute.cs#L30
Could you check if this is unintentional?

[josephdecock]

Thanks for bringing this to our attention, we'll investigate and update here.

[AndersAbel]

@PascalAlbrechtComparis you are right, this is inconsistent. On a modern browser that supports CSP, the CSP frame-ancestors 'none' will take precedence and the more permissive X-Frame-Options: SAMEORIGIN will be ignored.

This code is part of our templates, which is meant to be exactly a template or starting point for a developer to customise the way they want. So it is perfectly fine for anyone finding these values inconsistent to change them in their own code created from the template.

But our template code should not be confusing in the first place, I will look into updating the templates to use DENY.

[AndersAbel]

Proposed fix in DuendeSoftware/IdentityServer#1389

[PascalAlbrechtComparis]

@AndersAbel Thank you for the clarification. We have changed this in our implementation already.

It certainly helps if the template is consistent in this regard.