I recently migrated a project from ASP.NET MVC 4 to MVC 5 and the process went quite smoothly, except that all of a sudden my webpages were being returned with the X-Frame-Options header set with the value ‘SAMEORIGIN‘. This is actually a reasonable default as it helps mitigate the risk of ClickJacking. The website in question, however, is designed to run in an iFrame, and this header immediately caused issues.
After a fruitless search of all my code in Visual Studio for ‘X-Frame-Options’ and ‘SAMEORIGIN’, I decided to try Windows Grep as a last resort, and it found that ‘SAMEORIGIN’ was present in System.Web.WebPages.dll. Thanks to Microsoft making ASP.NET MVC open source, I was able to find the relevant code quite easily on GitHub; it turns out that the AntiForgeryWorker class adds the header when you call Html.AntiForgeryToken() as of August this year. Even better, there’s an easy way to prevent this behaviour: set the static property AntiForgeryConfig.SuppressXFrameOptionsHeader to true (I’ve done this in my Application_Start() method). MSDN doesn’t didn’t even document this property yet, so I’m lucky to have found it. Two other bloggers have written about this in English and Japanese.
8 responses to “Html.AntiForgeryToken() sets an X-Frame-Options header with the value 'SAMEORIGIN'”
Thank you very much for this hint. It saved me much time when moved a website under facebook tab iframe.
Thanks for the info. This saved me a lot of time!!
Today you are my hero! Thanks for sharing this!
Awesome, you saved my day. Thank you
thank you
Yes! Thank-you. Same issue, been beating my head against the wall.
Looks like it is now documented also.
https://msdn.microsoft.com/en-us/library/system.web.helpers.antiforgeryconfig.suppressxframeoptionsheader(v=vs.111).aspx
saved my life today, thanks big-time