Our concern here is we're enabling others to embed our website as an iFrame, and enabling 'ClickJacking'?
The above mentioned occurs regardless of us also using Umbraco 7.6.1 which requires we specify within our Web.config (otherwise we're unable to Republish entire site:
if you have a Html.AntiforgeryToken() on your page it will automatically add a X-Frame-Options-header with the value of "SameOrigin". The only weird thing is that if you have for example five forms on your page you will get a header that contains the value "SameOrigin, SameOrigin, SameOrigin, SameOrigin, SameOrigin"; so five times that value. In my opinion that is a bug in .NET and MVC.
The workaround is exactly as you commented already.
not really, but if you just check the headers that have been sent (by using the developer tools for example in Chrome) you can verify that the header is sent correctly.
See for example this page; https://www.perplex.nl/en/expertise/umbraco-cms/. If you check it in the Developer tools you will see the header, thus it's working, thus it's protecting you from clickjacking:
Suppressing anti-forgery X-Frame options header in the global.asax weakens security despite setting X-Frame options in Web.config?
Our MVC5 application contains a partial view that renders a Html.AntiForgeryToken on all pages using the Master.cshtml.
On pages where we render another form, and another Html.AntiForgeryToken, on form submission an exception is thrown:
To avoid the exception, within the Global.asax App_Start we can specify:
Our concern here is we're enabling others to embed our website as an iFrame, and enabling 'ClickJacking'?
The above mentioned occurs regardless of us also using Umbraco 7.6.1 which requires we specify within our Web.config (otherwise we're unable to
Republish entire site
:Is there an alternative to this contradictive configuration? Are we weakening security?
Would really appreciate assistance
Hi Jason,
We also use the config setting in the web.config. We didn't have to do anything special to get forms working.
Maybe you can post the code of how you render the form ?
Dave
Hi Jason,
if you have a Html.AntiforgeryToken() on your page it will automatically add a X-Frame-Options-header with the value of "SameOrigin". The only weird thing is that if you have for example five forms on your page you will get a header that contains the value "SameOrigin, SameOrigin, SameOrigin, SameOrigin, SameOrigin"; so five times that value. In my opinion that is a bug in .NET and MVC.
The workaround is exactly as you commented already.
1) Add in the Global.asax.cs the line:
2) Specify the X-Frame-Options-header in the web.config
If you do these two thing, everything will work fine; you'll get the correct headers and you don't have to worry about 'Clickjacking'.
Regards,
Jeffrey
Thanks Jeffrey. Could you point me to a resource that confirms your reassurance about clickjacking?
Hi Jason,
not really, but if you just check the headers that have been sent (by using the developer tools for example in Chrome) you can verify that the header is sent correctly.
See for example this page; https://www.perplex.nl/en/expertise/umbraco-cms/. If you check it in the Developer tools you will see the header, thus it's working, thus it's protecting you from clickjacking:
Another way is using this website; https://securityheaders.io/.
Hope this helps,
Jeffrey
Hi Jeffrey, just the evidence I was looking for - thank you. Jason
is working on a reply...