Unset X-Frame-Options header correctly (#4721)

* Unset X-Frame-Options header correctly According to the [spec](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) there are onlye the `DENY` and `SAMEORIGIN` options, `ALLOW-FROM` being deprecated. Hence we have to actively unset the header, as we made `DENY` the default. This also unsets the X-Frame-Options header for the public form pages, which fixes #4666. * Ignore anti forgery token in Forms --------- Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>
2025-12-18 14:34:23 +01:00 · 2023-03-01 07:27:18 +01:00
parent 5790bed766
commit 23761eacc1
7 changed files with 25 additions and 27 deletions
--- a/BTCPayServer/Plugins/PointOfSale/Controllers/UIPointOfSaleController.cs
+++ b/BTCPayServer/Plugins/PointOfSale/Controllers/UIPointOfSaleController.cs
@@ -62,9 +62,10 @@ namespace BTCPayServer.Plugins.PointOfSale.Controllers
        public FormDataService FormDataService { get; }

        [HttpGet("/")]
+        [HttpGet("/apps/{appId}/pos")]
        [HttpGet("/apps/{appId}/pos/{viewType?}")]
-        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.AllowAll)]
        [DomainMappingConstraint(AppType.PointOfSale)]
+        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.Unset)]
        public async Task<IActionResult> ViewPointOfSale(string appId, PosViewType? viewType = null)
        {
            var app = await _appService.GetApp(appId, AppType.PointOfSale);
@@ -118,11 +119,11 @@ namespace BTCPayServer.Plugins.PointOfSale.Controllers

        [HttpPost("/")]
        [HttpPost("/apps/{appId}/pos/{viewType?}")]
-        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.AllowAll)]
        [IgnoreAntiforgeryToken]
        [EnableCors(CorsPolicies.All)]
        [DomainMappingConstraint(AppType.PointOfSale)]
        [RateLimitsFilter(ZoneLimits.PublicInvoices, Scope = RateLimitsScope.RemoteAddress)]
+        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.Unset)]
        public async Task<IActionResult> ViewPointOfSale(string appId,
                                                        PosViewType? viewType = null,
                                                        [ModelBinder(typeof(InvariantDecimalModelBinder))] decimal? amount = null,
@@ -329,6 +330,8 @@ namespace BTCPayServer.Plugins.PointOfSale.Controllers
        }

        [HttpPost("/apps/{appId}/pos/form/{viewType?}")]
+        [IgnoreAntiforgeryToken]
+        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.Unset)]
        public async Task<IActionResult> POSForm(string appId, PosViewType? viewType = null)
        {
            var app = await _appService.GetApp(appId, AppType.PointOfSale);
@@ -373,6 +376,8 @@ namespace BTCPayServer.Plugins.PointOfSale.Controllers
        }

        [HttpPost("/apps/{appId}/pos/form/submit/{viewType?}")]
+        [IgnoreAntiforgeryToken]
+        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.Unset)]
        public async Task<IActionResult> POSFormSubmit(string appId, FormViewModel viewModel, PosViewType? viewType = null)
        {
            var app = await _appService.GetApp(appId, AppType.PointOfSale);