ASP.Net Core: X-Frame-Options strange behavior -
i need remove x-frame-options: sameorigin header of actions should render content iframe. long added requests default disabled in startup.cs: services.addantiforgery(o => o.suppressxframeoptionsheader = false);. wrote simple middleware:
app.use(async (context, next) => { context.response.headers.add("x-frame-options", "sameorigin"); await next(); }); actions needed answer cross-domain requests decorated result filter attribute:
public class suppresxframeoptionfilter : resultfilterattribute { public override async task onresultexecutionasync(resultexecutingcontext context, resultexecutiondelegate next) { context.httpcontext.response.headers.remove("x-frame-options"); await next(); } } here comes weiredness. first cross-domain request fails because despite filter works expected in end x-frame-options: sameorigin still present in response (i checked after next() in middleware - header reappeared). if press f5 header no longer in response , works should. happens x-frame-options header, custom 1 removed correctly. makes x-frame-options has been removed appear in response again?
i on first request antiforgery saves cookie means tries set x-frame-options header.
if want disable header in antiforgery , manually handle yourself, want setting suppressxframeoptionsheader to true ;)
services.addantiforgery(o => o.suppressxframeoptionsheader = true);
Comments
Post a Comment