Sunday, August 13, 2017

Powershell ISE Cheat sheet

1# How to Comment Multi line code in ISE editor

Put cursor on start of code. Select Shift +Alt and move down arrow key to end of code line. Then press Shift +#

2# How to open/load web page ?

start-process -FilePath "www.google.com.ua"


Posted by at No comments :
Labels:

Thursday, August 3, 2017

Sitecore XFrameOptionsHeaderModule and Chrome 60.0.3112.78 (official build) (64-bit) x-frame-options SAMEORIGIN Refused to display

Introduction

Chrome Side of story:-
X-Frame-Option Same origin issue appeared in Chrome version 60+ and it came surprising when browser started upgraded from lower version to this version. What if such issue appeared in production where your platform is dependent on third party service provider such as payment gateway through IFrame or any data layer that injects data to your system. Well the point is everything boils down to how secure you want to create a platform.

Your site- Domain ABC- Allow access to Domain XYZ[SameOrigin will not work]
Chrome version 60 and above enforce this and check this X-frame-options.

 What happened next?
It started throwing below error in developer tool f12 - console

Refused to display https://abc' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
iframe-tunnel.js:60 GET https://xyz net::ERR_BLOCKED_BY_RESPONSE


Sitecore MVC Side of story:-

From sitecore 8.1 update 3 onwards sitecore introduce default module to add X-FRAME-OPTION Sameorigin using below module

One can check this in web.config file
 type="Sitecore.Web.XFrameOptionsHeaderModule, Sitecore.Kernel" name="SitecoreXFrameOptionsHeaderModule"/>
Reference


Probable Solution

using System.Web.Mvc;

namespace Test.Filters
{
    public class RemoveXFrameOptionsAttribute : ActionFilterAttribute
    {
        public override void OnResultExecuted(ResultExecutedContext filterContext)
        {
            filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
            base.OnResultExecuted(filterContext);
        }
    }
[RemoveXFrameOptions]
public class TestController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
}
}
//or 
//this worked for us.
public class TestController : Controller
{
    [RemoveXFrameOptions]
    public ActionResult Index()
    {
        return View();
    }
}

https://stackoverflow.com/questions/35466242/removing-x-frame-options-header-for-a-specific-controller-only

Bit of background

Why x-frame-options SameOrigin thing? This is required to avoid CLICK JACKING.

https://www.codeproject.com/Articles/291562/Asp-net-web-application-Security-Review-Dos-Dont

My final Say

Sitecore should add this in their KB site to be more explicit so that customer is aware of such changes.

Posted by at 1 comment :
Labels:
Subscribe to: Posts ( Atom )