{"id":487,"date":"2013-11-28T14:45:32","date_gmt":"2013-11-28T03:45:32","guid":{"rendered":"http:\/\/blog.quppa.net\/?p=487"},"modified":"2013-11-28T14:45:32","modified_gmt":"2013-11-28T03:45:32","slug":"html-antiforgerytoken-sets-an-x-frame-options-header-with-the-value-sameorigin","status":"publish","type":"post","link":"https:\/\/www.quppa.net\/blog\/2013\/11\/28\/html-antiforgerytoken-sets-an-x-frame-options-header-with-the-value-sameorigin\/","title":{"rendered":"Html.AntiForgeryToken() sets an X-Frame-Options header with the value &#039;SAMEORIGIN&#039;"},"content":{"rendered":"<p>I recently <a title=\"ASP.NET: How to Upgrade an ASP.NET MVC 4 and Web API Project to ASP.NET MVC 5 and Web API 2\" href=\"http:\/\/www.asp.net\/mvc\/tutorials\/mvc-5\/how-to-upgrade-an-aspnet-mvc-4-and-web-api-project-to-aspnet-mvc-5-and-web-api-2\">migrated a project from ASP.NET MVC 4 to MVC 5<\/a> and the process went quite smoothly, except that all of a sudden my webpages were being returned with the <code>X-Frame-Options<\/code> header set with the value &#8216;<code>SAMEORIGIN<\/code>&#8216;. This is actually a reasonable default as it helps <a href=\"http:\/\/blogs.msdn.com\/b\/ieinternals\/archive\/2010\/03\/30\/combating-clickjacking-with-x-frame-options.aspx\" title=\"Eric Law's Blog: Combating ClickJacking With X-Frame-Options\">mitigate the risk of ClickJacking<\/a>. The website in question, however, is designed to run in an iFrame, and this header immediately caused issues.<\/p>\n<p>After a fruitless search of all my code in Visual Studio for &#8216;X-Frame-Options&#8217; and &#8216;SAMEORIGIN&#8217;, I decided to try <a href=\"http:\/\/www.wingrep.com\/\" title=\"Windows Grep\">Windows Grep<\/a> as a last resort, and it found that &#8216;SAMEORIGIN&#8217; was present in <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/system.web.webpages(v=vs.111).aspx\" title=\"MSDN: System.Web.WebPages Namespace\">System.Web.WebPages.dll<\/a>. Thanks to Microsoft <a href=\"http:\/\/www.asp.net\/mvc\/open-source\" title=\"ASP.NET Open Source\">making ASP.NET MVC open source<\/a>, I was able to find the relevant code quite easily on GitHub; it turns out that the <a href=\"https:\/\/github.com\/ASP-NET-MVC\/aspnetwebstack\/blob\/master\/src\/System.Web.WebPages\/Helpers\/AntiXsrf\/AntiForgeryWorker.cs\" title=\"GitHub: AntiForgeryWorker.cs\">AntiForgeryWorker class<\/a> adds the header when you call Html.AntiForgeryToken() as of August this year. Even better, there&#8217;s an easy way to prevent this behaviour: set the static property <code>AntiForgeryConfig.SuppressXFrameOptionsHeader<\/code> to <code>true<\/code> (I&#8217;ve done this in my Application_Start() method). <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/system.web.helpers.antiforgeryconfig(v=vs.111).aspx\" title=\"AntiForgeryConfig Class\">MSDN <del datetime=\"2015-03-24T08:03:35+00:00\">doesn&#8217;t<\/del> didn&#8217;t even document this property <del datetime=\"2015-03-24T08:03:35+00:00\">yet<\/del><\/a>, so I&#8217;m lucky to have found it. Two other bloggers have written about this in <a href=\"http:\/\/joost.haneveer.nl\/asp-net\/display-mvc-5-web-site-in-an-iframe\/\" title=\"Joost's Blog: Display MVC 5 web site in an IFrame\">English<\/a> and <a href=\"http:\/\/shiba-yan.hatenablog.jp\/entry\/20131019\/1382147363\" title=\"Shiba-yan's Notes: ASP.NET MVC 5 can output the X-Frame-Options header automatically at times\">Japanese<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently migrated a project from ASP.NET MVC 4 to MVC 5 and the process went quite smoothly, except that all of a sudden my webpages were being returned with the X-Frame-Options header set with the value &#8216;SAMEORIGIN&#8216;. This is actually a reasonable default as it helps mitigate the risk of ClickJacking. The website in &hellip; <a href=\"https:\/\/www.quppa.net\/blog\/2013\/11\/28\/html-antiforgerytoken-sets-an-x-frame-options-header-with-the-value-sameorigin\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Html.AntiForgeryToken() sets an X-Frame-Options header with the value &#039;SAMEORIGIN&#039;&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[19],"class_list":["post-487","post","type-post","status-publish","format-standard","hentry","category-programming","tag-asp-net-mvc-headers-iis"],"_links":{"self":[{"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/posts\/487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/comments?post=487"}],"version-history":[{"count":0,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/posts\/487\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/media?parent=487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/categories?post=487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/tags?post=487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}