Closed koolraap closed 7 years ago
One of our clients (foobar.com) is calling our IDSRV (example.com) with an endsesssion request from an iframe. The response contains XFO: SAMEORIGIN. They would like us to remove this.
This would open up your signout page to a click-jacking attack. You can do whatever you want, but we won't be removing this from IdentityServer.
Thanks Brock, I appreciate the reply. I'll let the client make the decision.
One of our clients (foobar.com) is calling our IDSRV (example.com) with an endsesssion request from an iframe. The response contains XFO: SAMEORIGIN. They would like us to remove this.
Assuming that it's a good idea, I'm not sure how to either remove the XFO header or add an CSP iframe exception.
IdentityServerOptions.ProtocolLogoutUrls
looked promising but the generated URL is relative to the IDSRV base url, so I can't set it to a different domain.[SecurityHeaders(EnableXfo = false)]
on the EndSessionController would mean recompiling IdentityServer3 and I don't want to be the guy who disabled security headers for all of our clients._request.SetSuppressXfo()
would do the trick but I don't know where I can add that in our code so it'll be useful.SetSuppressXfo
.I feel like I'm missing something obvious (quite probably: Don't!).