Html.AntiForgeryToken() sets an X-Frame-Options header with the value 'SAMEORIGIN'

I recently migrated a project from ASP.NET MVC 4 to MVC 5 and the process went quite smoothly, except that all of a sudden my webpages were being returned with the X-Frame-Options header set with the value ‘SAMEORIGIN‘. This is actually a reasonable default as it helps mitigate the risk of ClickJacking. The website in question, however, is designed to run in an iFrame, and this header immediately caused issues.

After a fruitless search of all my code in Visual Studio for ‘X-Frame-Options’ and ‘SAMEORIGIN’, I decided to try Windows Grep as a last resort, and it found that ‘SAMEORIGIN’ was present in System.Web.WebPages.dll. Thanks to Microsoft making ASP.NET MVC open source, I was able to find the relevant code quite easily on GitHub; it turns out that the AntiForgeryWorker class adds the header when you call Html.AntiForgeryToken() as of August this year. Even better, there’s an easy way to prevent this behaviour: set the static property AntiForgeryConfig.SuppressXFrameOptionsHeader to true (I’ve done this in my Application_Start() method). MSDN doesn’t didn’t even document this property yet, so I’m lucky to have found it. Two other bloggers have written about this in English and Japanese.





8 responses to “Html.AntiForgeryToken() sets an X-Frame-Options header with the value 'SAMEORIGIN'”

  1. Alex Avatar

    Thank you very much for this hint. It saved me much time when moved a website under facebook tab iframe.

  2. VK Avatar

    Thanks for the info. This saved me a lot of time!!

  3. Dampee Avatar

    Today you are my hero! Thanks for sharing this!

  4. Domantas Avatar

    Awesome, you saved my day. Thank you

  5. Mike Avatar

    Yes! Thank-you. Same issue, been beating my head against the wall.

  6. Michal Avatar

    saved my life today, thanks big-time

Leave a Reply

Your email address will not be published. Required fields are marked *