New option.

4 years ago · 466534e152
4 changed files with 16 additions and 3 deletions
--- a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
@ -5,6 +5,7 @@
 //  All rights reserved. Licensed under the MIT license.
 // ==========================================================================

+using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
@ -115,6 +116,13 @@ namespace Squidex.Areas.IdentityServer.Config
                    options.UseAspNetCore();
                });

+            services.Configure<AntiforgeryOptions>((services, options) =>
+            {
+                var identityOptions = services.GetRequiredService<IOptions<MyIdentityOptions>>().Value;
+
+                options.SuppressXFrameOptionsHeader = identityOptions.SuppressXFrameOptionsHeader;
+            });
+
            services.Configure<OpenIddictServerOptions>((services, options) =>
            {
                var urlGenerator = services.GetRequiredService<IUrlGenerator>();
--- a/backend/src/Squidex/Config/MyIdentityOptions.cs
+++ b/backend/src/Squidex/Config/MyIdentityOptions.cs
@ -73,6 +73,8 @@ namespace Squidex.Config

        public bool ShowPII { get; set; }

+        public bool SuppressXFrameOptionsHeader { get; set; }
+
        public bool IsAdminConfigured()
        {
            return !string.IsNullOrWhiteSpace(AdminEmail) && !string.IsNullOrWhiteSpace(AdminPassword);
--- a/backend/src/Squidex/Startup.cs
+++ b/backend/src/Squidex/Startup.cs
@ -43,10 +43,8 @@ namespace Squidex
            services.AddSquidexIdentityServer();
            services.AddSquidexAuthentication(config);

-            services.AddSquidexImageResizing(config);
-            services.AddSquidexAssetInfrastructure(config);
-            services.AddSquidexSerializers();
            services.AddSquidexApps(config);
+            services.AddSquidexAssetInfrastructure(config);
            services.AddSquidexAssets(config);
            services.AddSquidexBackups();
            services.AddSquidexCommands(config);
@ -58,6 +56,7 @@ namespace Squidex
            services.AddSquidexGraphQL();
            services.AddSquidexHealthChecks(config);
            services.AddSquidexHistory(config);
+            services.AddSquidexImageResizing(config);
            services.AddSquidexInfrastructure(config);
            services.AddSquidexLocalization();
            services.AddSquidexMigration(config);
@ -67,6 +66,7 @@ namespace Squidex
            services.AddSquidexRules(config);
            services.AddSquidexSchemas();
            services.AddSquidexSearch();
+            services.AddSquidexSerializers();
            services.AddSquidexStoreServices(config);
            services.AddSquidexSubscriptions(config);
            services.AddSquidexTelemetry(config);
--- a/backend/src/Squidex/appsettings.json
+++ b/backend/src/Squidex/appsettings.json
@ -507,6 +507,9 @@
        // Enable password auth. Set this to false if you want to disable local login, leaving only 3rd party login options.
        "allowPasswordAuth": true,

+        // Specifies whether to suppress the generation of X-Frame-Options header which is used to prevent ClickJacking.
+        "suppressXFrameOptionsHeader": false,
+
        // Initial admin user.
        "adminEmail": "",
        "adminPassword": "",