IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 763 forks source link

endsession, iframe, XFO + CSP #3371

Closed koolraap closed 7 years ago

koolraap commented 7 years ago

One of our clients (foobar.com) is calling our IDSRV (example.com) with an endsesssion request from an iframe. The response contains XFO: SAMEORIGIN. They would like us to remove this.

Assuming that it's a good idea, I'm not sure how to either remove the XFO header or add an CSP iframe exception.

  1. IdentityServerOptions.ProtocolLogoutUrls looked promising but the generated URL is relative to the IDSRV base url, so I can't set it to a different domain.
  2. [SecurityHeaders(EnableXfo = false)] on the EndSessionController would mean recompiling IdentityServer3 and I don't want to be the guy who disabled security headers for all of our clients.
  3. _request.SetSuppressXfo() would do the trick but I don't know where I can add that in our code so it'll be useful.
  4. OWIN pipeline. Either pre or post request I could strip out SAMEORIGIN or call SetSuppressXfo.

I feel like I'm missing something obvious (quite probably: Don't!).

brockallen commented 7 years ago

One of our clients (foobar.com) is calling our IDSRV (example.com) with an endsesssion request from an iframe. The response contains XFO: SAMEORIGIN. They would like us to remove this.

This would open up your signout page to a click-jacking attack. You can do whatever you want, but we won't be removing this from IdentityServer.

koolraap commented 7 years ago

Thanks Brock, I appreciate the reply. I'll let the client make the decision.