mirror of
https://github.com/aljazceru/btcpayserver.git
synced 2025-12-18 06:24:24 +01:00
23761eacc1
* Unset X-Frame-Options header correctly According to the [spec](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) there are onlye the `DENY` and `SAMEORIGIN` options, `ALLOW-FROM` being deprecated. Hence we have to actively unset the header, as we made `DENY` the default. This also unsets the X-Frame-Options header for the public form pages, which fixes #4666. * Ignore anti forgery token in Forms --------- Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>
46 lines
1.1 KiB
C#
46 lines
1.1 KiB
C#
using System;
|
|
using Microsoft.AspNetCore.Mvc.Filters;
|
|
|
|
namespace BTCPayServer.Filters
|
|
{
|
|
public class XFrameOptionsAttribute : Attribute, IActionFilter
|
|
{
|
|
public XFrameOptionsAttribute(string value)
|
|
{
|
|
Value = value;
|
|
}
|
|
|
|
public XFrameOptionsAttribute(XFrameOptions type)
|
|
{
|
|
Value = type switch
|
|
{
|
|
XFrameOptions.Deny => "DENY",
|
|
XFrameOptions.SameOrigin => "SAMEORIGIN",
|
|
XFrameOptions.Unset => null,
|
|
_ => throw new ArgumentOutOfRangeException(nameof(type), type, null)
|
|
};
|
|
}
|
|
|
|
private string Value { get; set; }
|
|
|
|
public void OnActionExecuted(ActionExecutedContext context)
|
|
{
|
|
}
|
|
|
|
public void OnActionExecuting(ActionExecutingContext context)
|
|
{
|
|
if (context.IsEffectivePolicy(this))
|
|
{
|
|
context.HttpContext.Response.SetHeaderOnStarting("X-Frame-Options", Value);
|
|
}
|
|
}
|
|
|
|
public enum XFrameOptions
|
|
{
|
|
Deny,
|
|
SameOrigin,
|
|
Unset
|
|
}
|
|
}
|
|
}
|