diff --git a/docs/en/UI/AspNetCore/Security-Headers.md b/docs/en/UI/AspNetCore/Security-Headers.md index b02e9691b0..dad20089a6 100644 --- a/docs/en/UI/AspNetCore/Security-Headers.md +++ b/docs/en/UI/AspNetCore/Security-Headers.md @@ -74,3 +74,26 @@ Configure(options => }); }); ``` + +### Ignore Abp Security Headers + +You can ignore the Abp Security Headers for some actions or pages. You can use the `IgnoreAbpSecurityHeaderAttribute` attribute for this. + +**Example:** + +```csharp +@using Volo.Abp.AspNetCore.Security +@attribute [IgnoreAbpSecurityHeaderAttribute] +``` + +**Example:** + +```csharp +[IgnoreAbpSecurityHeaderAttribute] +public class IndexModel : AbpPageModel +{ + public void OnGet() + { + } +} +``` \ No newline at end of file diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs index f328cd27ae..b1068bbe85 100644 --- a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs +++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs @@ -33,11 +33,19 @@ public class AbpSecurityHeadersMiddleware : IMiddleware, ITransientDependency var requestAcceptTypeHtml = context.Request.Headers["Accept"].Any(x => x.Contains("text/html") || x.Contains("*/*") || x.Contains("application/xhtml+xml")); + + var endpoint = context.GetEndpoint(); + + if (endpoint?.Metadata.GetMetadata() != null) + { + await next.Invoke(context); + return; + } if (!requestAcceptTypeHtml || !Options.Value.UseContentSecurityPolicyHeader || await AlwaysIgnoreContentTypes(context) - || context.GetEndpoint() == null + || endpoint == null || Options.Value.IgnoredScriptNoncePaths.Any(x => context.Request.Path.StartsWithSegments(x.EnsureStartsWith('/')))) { AddOtherHeaders(context); diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs new file mode 100644 index 0000000000..fb9e7717f3 --- /dev/null +++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs @@ -0,0 +1,9 @@ +using System; + +namespace Volo.Abp.AspNetCore.Security; + +[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)] +public class IgnoreAbpSecurityHeaderAttribute : Attribute +{ + +} diff --git a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs index 961252aae7..f4d7008ef5 100644 --- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs +++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs @@ -10,6 +10,7 @@ using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Primitives; using OpenIddict.Abstractions; using OpenIddict.Server.AspNetCore; +using Volo.Abp.AspNetCore.Security; using Volo.Abp.OpenIddict.ViewModels.Authorization; namespace Volo.Abp.OpenIddict.Controllers; @@ -20,6 +21,7 @@ public class AuthorizeController : AbpOpenIdDictControllerBase { [HttpGet, HttpPost] [IgnoreAntiforgeryToken] + [IgnoreAbpSecurityHeader] public virtual async Task HandleAsync() { var request = await GetOpenIddictServerRequestAsync(HttpContext);