Unset X-Frame-Options header correctly (#4721)

* Unset X-Frame-Options header correctly According to the [spec](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) there are onlye the `DENY` and `SAMEORIGIN` options, `ALLOW-FROM` being deprecated. Hence we have to actively unset the header, as we made `DENY` the default. This also unsets the X-Frame-Options header for the public form pages, which fixes #4666. * Ignore anti forgery token in Forms --------- Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>
2025-12-17 14:04:26 +01:00 · 2023-03-01 07:27:18 +01:00
parent 5790bed766
commit 23761eacc1
7 changed files with 25 additions and 27 deletions
--- a/BTCPayServer/Controllers/UIPaymentRequestController.cs
+++ b/BTCPayServer/Controllers/UIPaymentRequestController.cs
@@ -208,6 +208,7 @@ namespace BTCPayServer.Controllers
        [HttpGet("{payReqId}/form")]
        [HttpPost("{payReqId}/form")]
        [AllowAnonymous]
+        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.Unset)]
        public async Task<IActionResult> ViewPaymentRequestForm(string payReqId, FormViewModel viewModel)
        {
            var result = await _PaymentRequestRepository.FindPaymentRequest(payReqId, GetUserId());