Html.AntiForgeryToken() sets an X-Frame-Options header with the value 'SAMEORIGIN'

I recently migrated a project from ASP.NET MVC 4 to MVC 5 and the process went quite smoothly, except that all of a sudden my webpages were being returned with the X-Frame-Options header set with the value ‘SAMEORIGIN‘. This is actually a reasonable default as it helps mitigate the risk of ClickJacking. The website in question, however, is designed to run in an iFrame, and this header immediately caused issues.

After a fruitless search of all my code in Visual Studio for ‘X-Frame-Options’ and ‘SAMEORIGIN’, I decided to try Windows Grep as a last resort, and it found that ‘SAMEORIGIN’ was present in System.Web.WebPages.dll. Thanks to Microsoft making ASP.NET MVC open source, I was able to find the relevant code quite easily on GitHub; it turns out that the AntiForgeryWorker class adds the header when you call Html.AntiForgeryToken() as of August this year. Even better, there’s an easy way to prevent this behaviour: set the static property AntiForgeryConfig.SuppressXFrameOptionsHeader to true (I’ve done this in my Application_Start() method). MSDN doesn’t didn’t even document this property yet, so I’m lucky to have found it. Two other bloggers have written about this in English and Japanese.