Redirecting question here fromas suggested
We have a family of products that do intranet single sign on using ADFS.
We recently setup an AD FS 3 to verify compatibility. All protocols and token formats work without a problem but we have a huge problem.
Our web applications dependent heavily on iframes. But AD FS 3 suddenly is adding the following header to its response
X-Frame-Options | DENY |
Currently IE11 is working but Chrome and Firefox are not.
AD FS provides no option to enable this header or not. I even checked into the code and see that there is not condition that can drive this. The following is from Microsoft.IdentityServer.Web.UI.PageBase
protected void Render()
{
string text = this.PageTemplate;
if (!this.AllowIFrame)
{
this.HttpListenerContext.Response.AddHeader("x-frame-options", "DENY");
}
this.HttpListenerContext.Response.Headers.Add(HttpResponseHeader.CacheControl, "no-cache");
this.HttpListenerContext.Response.Headers.Add(HttpResponseHeader.CacheControl, "no-store");
this.HttpListenerContext.Response.Headers.Add(HttpResponseHeader.Pragma, "no-cache");
this.HttpListenerContext.Response.Headers.Add(HttpResponseHeader.Expires, "-1");
text = this.ApplyTheme(text);
text = this.RenderPageSpecifics(text);
HttpContextUtility.WriteStringResponse(this.HttpListenerContext.Response, text);
} I understand the security reasons behind this choice and I also understand the potential vulnerabilities using iframes.
But iframes with all their potential problems are a legacy solution and are still present in many applications. This hard coded choice practically excludes these applications from upgrading integration with AD FS 3. This is even more weird, since IE is the one that doesn't respect the header and doesn't block the frame as Chrome and Firefox do.
I already seen this related thread
Please advice on this matter.