iFrame problem

[Astimus]

I put asp .net core MVC application in the iframe of oidc-client-js application. I get an error in the console: Refused to display 'http://localhost:12406/connect/authorize?client_id=dashboard_viewer&redirect_uri=http%3A%2F%2Flocalhost%3A12496%2Fsignin-oidc&response_type=id_token%20token&scope=openid%20profile%20roles%20core_logic_facade&response_mode=form_post&nonce=636428092725221109.NDQ2OWQ0MGMtZWQyMy00OGVhLWEwMzItNGNkNmE3MjU4MWUxYzdiYTAxNWQtYjYzMi00MjlhLWJiNjItZGVkMTliM2E2MDMz&state=CfDJ8Irk0l47HfFNhSEOlj01Rv7ySxaLQyfqDcdFeNxkvMy7wbwt-K1obKOm1WnJ0ADEwWKolYmbcWGMbibB1dWOYH26qidI6J-GYL0Xr6Yr9g4_b02_NkkMazFJrWkSWo9-ffzAapO_PIU8p5g1UXkXY7phQq_TLNTJeAWT8ZlVKrpDnQnyOZeA8qeeSPpzerhCbO1XsKdrhoyC75bTMUEOhWYiq3Pg9_jEjzjyDK-X-u1128TCX70TDzhhMSz7pcKVhQ3DcpU4KAAYd09fK8YM14Zxc8Tt8ptnAHRwvEDjpSJW-B30PxlUUsSWMB6mIL9IzKBc9dptGcqEu1waWnDpL3uWig9FNRiCQWqhsrINDfDsoluVxbsjWD1ywM9MT-rbF0rrPQJGvQHbvTZ87C-yM3Ia8u9ATmd7kjSSvM3FZX5H&x-client-SKU=ID_NET&x-client-ver=2.1.4.0' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://localhost:12496"

I've tryed to modify X-Frame-Options in SecurityHeadersAttribute of QuickStart exmaple. But nothing helped. How can I solve problem?

[brockallen]

That's up to your hosting app to decide. Check the code in the quickstart SecurityHeaders filter to control .

[Astimus]

@brockallen SequrityHeaders filter does not impact on /connect/authorize endpoint.

[brockallen]

Ah yes, now I think I see what's happening. Sounds like your page hosting the iframe has CSP that prohibits what you're trying to do. So you should control it the way you need.

[Astimus]

@brockallen Where is the problem? In the site which i put in iframe or in site which contains iframe?

[Astimus]

@brockallen Problem in this code:

        private void AddCspHeaders(HttpContext context)
        {
            var formOrigin = Response.Request.RedirectUri.GetOrigin();
            // 'unsafe-inline' for edge
            var value = $"default-src 'none'; frame-ancestors {formOrigin}; script-src 'unsafe-inline' 'sha256-VuNUSJ59bpCpw62HM2JG/hCyGiqoPN3NqGvNXQPU+rY=';";

            if (!context.Response.Headers.ContainsKey("Content-Security-Policy"))
            {
                context.Response.Headers.Add("Content-Security-Policy", value);
            }

            if (!context.Response.Headers.ContainsKey("X-Content-Security-Policy"))
            {
                context.Response.Headers.Add("X-Content-Security-Policy", value);
            }
        }

In my ASP .NET Core application I use OpenIdConnect authorization. So it uses FormPost response mode. That's why IdSrv add frame-ancestors {formOrigin}; to CSP and asp .net core application not working in iFrame.

[orvelin]

@Astimus how did you solve your problem?

[brockallen]

All set on this issue -- can we close?

[WolfspiritM]

I'm having the same issue. I'm trying to display a client in an iframe provided by the Identityserver host.

The problem is that 'self' is not included inside frame-ancestors. That means the client can display itself in an iframe but the identityserver can't. Is there any security risk to include "self" to the frame-ancestors in general allowing the identityserver to display Clients as an iframe? There is no way to override that part for the authorize endpoint. I even tried to make a middleware that replaces that header but it doesn't work as the response already started to be send.

[brockallen]

I'm still unclear on the issue here. Is your client not running at http://localhost:12496? If it is, then the CSP should work and allow the authorize endpoint in the iframe.

@WolfspiritM I don't know if your issue is the same or not. If it's different, please open a new issue.

[brockallen]

Closing due to lack of response. If you still have issues, feel free to reopen.

[jsamayoap]

I'm having the same issue when trying to logout from a React based app, login works great, but when logging out, I have this.

So there is something in the itentityserver4 logout page that seems the browser does not like, if don't even show me the link to return to mi site.

In my identityserver client configuration I have this: PostLogoutRedirectUris = { "http://localhost:2082/loginPage/pl", "https://localhost:44326/loginPage/pl" }

Then on my OIDC client I have the same setting: post_logout_redirect_uri: "https://localhost:44326/loginPage/pl"

This is basically the same configuration and roundtrip I did for login and it worked as a charm there, so I find kind of weird that logout does not work out the same way.

[RobK410]

I believe @brockallen is right, there's no real issue in identityserver here.

I believe the issue is the client, is using a Referrer policy that is not sending referral/redirect information. In which case, the code in AddCspHeaders is defaulting to frame-ancestors: none

In my case, this "breaks" the OIDC-client JS Session checking code which uses an iframe.

I changed my client server to always use Referrer Policy with strict-origin-when-cross-origin, which should allow the web browser to send back the correct redirect and thus allow the frame-ancestors to render properly allowing the client to operate the iframe.

See https://www.w3.org/TR/referrer-policy/#ref-for-referrer-policy-strict-origin-when-cross-origin-2

[RobK410]

Just a note, I implemented Referrer and it still is not retrieving the referrer to insert into frame-ancestor when /session is called. I'm going to dig a little further into the Response.Request.RedirectUri.GetOrigin(); code.

[RobK410]

I have a SPA at one url my-spa.vasont.com, that is calling my-identity.vasont.com using OIDC js. Everything worked great until I implemented some new security headers on my id server implementation. Specifically, X-Frame-Options sameorigin. It broke Chrome.Removed X-Frame-Options and CSP frame-ancestors and session call is working again.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.