2

I work on one project and I realize that we don't use AntiForgeryToken. Of course there is a reason behind that. The reason is the our app can be in standalone mode (in this case everything is fine) and in integrated mode (in iframe). In integrated mode we have the following error:

Refused to display 'www.xxx.zzz' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Which is normal based on the following acticle:

https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/

So here is what am i wondering:

If I use AntiForgeryToken in the app and I do this (in Application_Start()):

AntiForgeryConfig.SuppressXFrameOptionsHeader = true

which basically remove X-Frame-Options: SAMEORIGIN header and everyone can put my site as an iframe (actually they can do it right now) but we will keep AntiForgeryToken.

Are there any benefits if I do this or I have to live it as it is? In my point of view I have to do it but anyway just to ask for another opinion.

Cheers!

chunk1ty
  • 400
  • 3
  • 14
  • Have you tried suppressing the x-frame-options as you describe but adding a content security policy (as per the answer here - https://stackoverflow.com/questions/10205192/x-frame-options-allow-from-multiple-domains) to ensure only specific domains can iframe your site? – Tom Troughton Apr 23 '18 at 15:52
  • I haven't but in our case we have multiple dynamic domains and yes i saw that there is a solution even for dynamic domains but i don't want to have such a hacky thing. As i said we don't use AntiForgeyToken at all and I am just wondering is it worth it if i do proposed solution. – chunk1ty Apr 24 '18 at 07:46

0 Answers0