Thursday, August 3, 2017

Sitecore XFrameOptionsHeaderModule and Chrome 60.0.3112.78 (official build) (64-bit) x-frame-options SAMEORIGIN Refused to display

Introduction

Chrome Side of story:-
X-Frame-Option Same origin issue appeared in Chrome version 60+ and it came surprising when browser started upgraded from lower version to this version. What if such issue appeared in production where your platform is dependent on third party service provider such as payment gateway through IFrame or any data layer that injects data to your system. Well the point is everything boils down to how secure you want to create a platform.

Your site- Domain ABC- Allow access to Domain XYZ[SameOrigin will not work]
Chrome version 60 and above enforce this and check this X-frame-options.

What happened next?
It started throwing below error in developer tool f12 - console

Refused to display https://abc' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
iframe-tunnel.js:60 GET https://xyz net::ERR_BLOCKED_BY_RESPONSE


Sitecore MVC Side of story:-

From sitecore 8.1 update 3 onwards sitecore introduce default module to add X-FRAME-OPTION Sameorigin using below module

One can check this in web.config file
 type="Sitecore.Web.XFrameOptionsHeaderModule, Sitecore.Kernel" name="SitecoreXFrameOptionsHeaderModule"/>
Reference


Probable Solution

using System.Web.Mvc;

namespace Test.Filters
{
    public class RemoveXFrameOptionsAttribute : ActionFilterAttribute
    {
        public override void OnResultExecuted(ResultExecutedContext filterContext)
        {
            filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
            base.OnResultExecuted(filterContext);
        }
    }
[RemoveXFrameOptions]
public class TestController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
}
}
//or 
//this worked for us.
public class TestController : Controller
{
    [RemoveXFrameOptions]
    public ActionResult Index()
    {
        return View();
    }
}

https://stackoverflow.com/questions/35466242/removing-x-frame-options-header-for-a-specific-controller-only

Bit of background

Why x-frame-options SameOrigin thing? This is required to avoid CLICK JACKING.

https://www.codeproject.com/Articles/291562/Asp-net-web-application-Security-Review-Dos-Dont

My final Say

Sitecore should add this in their KB site to be more explicit so that customer is aware of such changes.

1 comment :

Chris H. said...

Hi, thank you for providing this solution. This helped us with a similar requirement we had for our Sitecore website.

Kr,
Christopher