Html.AntiForgeryToken() sets an X-Frame-Options header with the value 'SAMEORIGIN'

I recently migrated a project from ASP.NET MVC 4 to MVC 5 and the process went quite smoothly, except that all of a sudden my webpages were being returned with the X-Frame-Options header set with the value ‘SAMEORIGIN‘. This is actually a reasonable default as it helps mitigate the risk of ClickJacking. The website in question, however, is designed to run in an iFrame, and this header immediately caused issues.

After a fruitless search of all my code in Visual Studio for ‘X-Frame-Options’ and ‘SAMEORIGIN’, I decided to try Windows Grep as a last resort, and it found that ‘SAMEORIGIN’ was present in System.Web.WebPages.dll. Thanks to Microsoft making ASP.NET MVC open source, I was able to find the relevant code quite easily on GitHub; it turns out that the AntiForgeryWorker class adds the header when you call Html.AntiForgeryToken() as of August this year. Even better, there’s an easy way to prevent this behaviour: set the static property AntiForgeryConfig.SuppressXFrameOptionsHeader to true (I’ve done this in my Application_Start() method). MSDN doesn’t didn’t even document this property yet, so I’m lucky to have found it. Two other bloggers have written about this in English and Japanese.


Posted

in

by

Comments

8 responses to “Html.AntiForgeryToken() sets an X-Frame-Options header with the value 'SAMEORIGIN'”

  1. Alex Avatar
    Alex

    Thank you very much for this hint. It saved me much time when moved a website under facebook tab iframe.

  2. VK Avatar
    VK

    Thanks for the info. This saved me a lot of time!!

  3. Dampee Avatar
    Dampee

    Today you are my hero! Thanks for sharing this!

  4. Domantas Avatar

    Awesome, you saved my day. Thank you

  5. Mike Avatar
    Mike

    Yes! Thank-you. Same issue, been beating my head against the wall.

  6. Michal Avatar

    saved my life today, thanks big-time

Leave a Reply

Your email address will not be published. Required fields are marked *