From 3190c90405999135bc2635cd858f14566924c480 Mon Sep 17 00:00:00 2001
From: Brock Allen <brockallen@gmail.com>
Date: Sat, 5 Aug 2017 12:51:05 -0400
Subject: [PATCH] remove XFO from end session callback iframe #1224

---
 .../Results/EndSessionCallbackResult.cs         | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/src/IdentityServer4/Endpoints/Results/EndSessionCallbackResult.cs b/src/IdentityServer4/Endpoints/Results/EndSessionCallbackResult.cs
index bc69a87c06..8ba198e46b 100644
--- a/src/IdentityServer4/Endpoints/Results/EndSessionCallbackResult.cs
+++ b/src/IdentityServer4/Endpoints/Results/EndSessionCallbackResult.cs
@@ -55,7 +55,6 @@ public async Task ExecuteAsync(HttpContext context)
             else
             {
                 context.Response.SetNoCache();
-                AddXfoHeaders(context);
                 AddCspHeaders(context);
 
                 var html = GetHtml();
@@ -92,22 +91,6 @@ private void AddCspHeaders(HttpContext context)
             }
         }
 
-        private void AddXfoHeaders(HttpContext context)
-        {
-            if (!context.Response.Headers.ContainsKey("X-Frame-Options"))
-            {
-                var logoutPageUrl = _options.UserInteraction.LogoutUrl;
-                if (logoutPageUrl.IsLocalUrl())
-                {
-                    context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
-                }
-                else
-                {
-                    context.Response.Headers.Add("X-Frame-Options", $"ALLOW-FROM {logoutPageUrl.GetOrigin()}");
-                }
-            }
-        }
-
         string GetHtml()
         {
             string framesHtml = null;