X-Frame-Options are extremely useful and are so good that ASP.NET MVC emits this header automatically unless explicitly specified. While it is a must for any enterprise grade Web application, ASP.NET MVC based implementation has an interesting issue - multiple values for the header which can conflict with the headers configured through web.config file and cause unwanted behavior.
When does ASP.NET MVC produce multiple values for this header? Well, the secret lies in the implementation of "AntiForgeryToken" method of HtmlHelper class. If you open up the implementation in reflector/ILSpy, you will notice the implementation of GetFormInputElement.
When does ASP.NET MVC produce multiple values for this header? Well, the secret lies in the implementation of "AntiForgeryToken" method of HtmlHelper class. If you open up the implementation in reflector/ILSpy, you will notice the implementation of GetFormInputElement.
Essentially, if the page hierarchy has multiple instances of Html.AntiforgeryToken() (whether in same page or through multiple partial views), then ASP.NET MVC adds one header value for each instance, thus resulting in multiple values for same header. Of course, as you know, you can suppress that behavior but it is a painful discovery for the uninitiated.
For example: I created two partial views _First and _Second and each had this line added. The result :(
X-Frame-Options: SAMEORIGIN, SAMEORIGIN
For example: I created two partial views _First and _Second and each had this line added. The result :(
X-Frame-Options: SAMEORIGIN, SAMEORIGIN
Bottom line: try to have just one reusable AntiforgeryToken per page. Technically speaking, one instance should be enough too. You should probably think again if you need more than one instance.
No comments:
Post a Comment