Oidc-client-js: X-Frame-Options error on IdentityServer3 /connect/checksession when "monitorSession" is true.
Hopefully I'm just missing some piece of configuration somewhere and someone can point me in the right direction.
When I complete the sign-in with IdentityServer through oidc-client and the main window and come back to my page, two errors occur. The first only occurs once, and the second will happen on a constant interval. The only way to stop the errors is to turn off monitorSession in the settings. I would rather not have to disable anything if I don't have to though. What could be going wrong here? Is there some configuration I can add/fix to monitor for sign-out at my provider?
Refused to display 'http://auth.domain.corp/connect/checksession' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('http://auth.domain.corp') does not match the recipient window's origin ('null').
CoderNumber1
All 7 comments
Refused to display 'http://auth.domain.corp/connect/checksession' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
This endpoint is designed to work in an iframe. Are you adding any of your XFO options in your IdentityServer host?
I think the second error/issue is a result of the first.
brockallen
on 9 Dec 2016
Well, not in the host itself. Though it occurs to me that doesn't mean our admins aren't setting something I'm not aware of by default on the box itself or the load balancer. Further investigation shows that X-Frame-Options header on every request. Putting an entry in my web.config to remove that header seems to stop the error, and the header still shows up on requests I'm assuming it should be like /login. I'll confirm tomorrow morning but I suspect it's the case that there's some parent level config adding that header. Sorry it's likely something I should have spotted sooner on my own, but thank you for your help regardless.
CoderNumber1
on 9 Dec 2016
IdentityServer issues this header for most of its UI, but not for the checksession endpoint.
brockallen
on 9 Dec 2016
I did confirm this morning that the X-Frame-Options header was being set at the server level outside of IdentityServer, so it was present on every request to that machine. Removing it by default cleared up the error, and IdentityServer is still able to set the header on the proper requests. Thanks again for pointing me in the right direction.
CoderNumber1
on 9 Dec 2016
Thank you very much guys, I was facing the same issue.
I found out that my Nginx reverse proxy was adding the X-Frame-Options header. After removing it, the error disappeared!
mniak
on 28 Dec 2017
Hey, This option of removing the header from the iis server/load balancer worked for me. But our security team raised concerns for completely removing that. So we added the x-frame-options: "Allow-FROM domain", But looks like this header is not working in chrome and it is completely ignoring? are there any better solutions for this if client and IDP are not in same domain..
vejandla
on 24 May 2018
Having a blanket rule about anything is always problematic when you have a perfectly valid exception to that rule. Check session is one of those perfectly valid exceptions.
brockallen
on 24 May 2018
Related issues
shesellsanctuary
路
4Comments
bialabs
路
3Comments
pawepaw
路
3Comments
arnaldo-infinite
路
4Comments
pottabathini
路
5Comments
Most helpful comment
I did confirm this morning that the
X-Frame-Optionsheader was being set at the server level outside of IdentityServer, so it was present on every request to that machine. Removing it by default cleared up the error, and IdentityServer is still able to set the header on the proper requests. Thanks again for pointing me in the right direction.