CSP scanning flagged /endsession/callback for missing frame-ancestors

[jblazek]

trafficstars

Which version of Duende IdentityServer are you using?

6.1.7

Which version of .NET are you using?

6.0

Describe the bug

As part of a security audit, the /connect/endsession/callback was flagged for CSP due to missing frame-ancestors directive.

Given how the /connect/endsession/callback is used, it only seems to be loaded is a first party parent frame, and frame-ancestors: 'self'; could be used?

Note, I found a similar issue raised here for a different endpoint /connect/checksession: https://github.com/IdentityServer/IdentityServer4/issues/3768.

To Reproduce

Steps to reproduce the behavior.

1. Login
2. Logout
3. Observe the browser network traffic and response headers for /connect/endsession/callback. It does not contain a frame-ancestors CSP directive.

Expected behavior

Adding frame-ancestors: 'self' to the /connect/endsession/callback endpoint response would not break existing functionality and would have a more constrained CSP model.

[josephdecock]

@brockallen and @leastprivilege , what do you think of this? I can't think of any situation where the end session endpoint would be called in an iframe.