Unset X-Frame-Options header correctly (#4721)

* Unset X-Frame-Options header correctly According to the [spec](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) there are onlye the `DENY` and `SAMEORIGIN` options, `ALLOW-FROM` being deprecated. Hence we have to actively unset the header, as we made `DENY` the default. This also unsets the X-Frame-Options header for the public form pages, which fixes #4666. * Ignore anti forgery token in Forms --------- Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>
2025-12-17 22:14:26 +01:00 · 2023-03-01 07:27:18 +01:00
parent 5790bed766
commit 23761eacc1
7 changed files with 25 additions and 27 deletions
--- a/BTCPayServer/Controllers/UIPublicLightningNodeInfoController.cs
+++ b/BTCPayServer/Controllers/UIPublicLightningNodeInfoController.cs
@@ -30,7 +30,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpGet]
-        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.AllowAll)]
+        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.Unset)]
        public async Task<IActionResult> ShowLightningNodeInfo(string storeId, string cryptoCode)
        {
            var store = await _StoreRepository.FindStore(storeId);