MVC 5 prevents access to content via IframeDisplay MVC page in iframe in another siteServer Cannot Append Header After HTTP headers have been sent Exception at @Html.AntiForgeryX-Frame-Options not working IIS web.configAfter update to MVC 5, iframe no longer worksIIS is adding default 'X-Frame-Options:SAMEORIGIN' even then I added new HTTP response header in default website level as'X-Frame-Options:ALLOW'.Can't display content in a frame“this content cannot be viewed in a frame” error the first time I load the pageIIS defaults X-Frame-Options Deny every time I publish my websiteCompile Views in ASP.NET MVCHow do you handle multiple submit buttons in ASP.NET MVC Framework?In MVC, how do I return a string result?ASP.NET MVC - Set custom IIdentity or IPrincipalFile Upload ASP.NET MVC 3.0After update to MVC 5, iframe no longer worksSameOrigin Policy interfering with Google DocsAllow frame from different domain with MVC5Downgrade MVC 5 to mvc 4Cross domain communication is not happening after adding Xframeoptions : Sameorigin

What makes accurate emulation of old systems a difficult task?

Multiple options vs single option UI

Philosophical question on logistic regression: why isn't the optimal threshold value trained?

What was Apollo 13's "Little Jolt" after MECO?

Why did C use the -> operator instead of reusing the . operator?

Creating a chemical industry from a medieval tech level without petroleum

Older movie/show about humans on derelict alien warship which refuels by passing through a star

Why do games have consumables?

How long after the last departure shall the airport stay open for an emergency return?

A strange hotel

What is the unit of time_lock_delta in LND?

How important is it that $TERM is correct?

Work requires me to come in early to start computer but wont let me clock in to get paid for it

Check if a string is entirely made of the same substring

Prove that the countable union of countable sets is also countable

How do I produce this Greek letter koppa: Ϟ in pdfLaTeX?

What *exactly* is electrical current, voltage, and resistance?

All ASCII characters with a given bit count

"Whatever a Russian does, they end up making the Kalashnikov gun"? Are there any similar proverbs in English?

"My boss was furious with me and I have been fired" vs. "My boss was furious with me and I was fired"

Can a stored procedure reference the database in which it is stored?

What does MLD stand for?

How much cash can I safely carry into the USA and avoid civil forfeiture?

How can I practically buy stocks?



MVC 5 prevents access to content via Iframe


Display MVC page in iframe in another siteServer Cannot Append Header After HTTP headers have been sent Exception at @Html.AntiForgeryX-Frame-Options not working IIS web.configAfter update to MVC 5, iframe no longer worksIIS is adding default 'X-Frame-Options:SAMEORIGIN' even then I added new HTTP response header in default website level as'X-Frame-Options:ALLOW'.Can't display content in a frame“this content cannot be viewed in a frame” error the first time I load the pageIIS defaults X-Frame-Options Deny every time I publish my websiteCompile Views in ASP.NET MVCHow do you handle multiple submit buttons in ASP.NET MVC Framework?In MVC, how do I return a string result?ASP.NET MVC - Set custom IIdentity or IPrincipalFile Upload ASP.NET MVC 3.0After update to MVC 5, iframe no longer worksSameOrigin Policy interfering with Google DocsAllow frame from different domain with MVC5Downgrade MVC 5 to mvc 4Cross domain communication is not happening after adding Xframeoptions : Sameorigin






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








47















Ever since the upgrade from MVC4 to MVC5, I have noticed an extra server header added to my web pages:



X-Frame-Options: SAMEORIGIN



I understand security benefits of adding this tag, but one of the pages is meant to be included inside an iframe from other projects (on other domains), this extra header is preventing this.



I have verified it is not the hosting IIS7 server that is adding the header, and when I downgraded back to MVC4 - the header is gone.



Does anyone know how to remove this default from MVC5?






asp.net-mvc







share|improve this question






















  • This same question was just asked, so if you don't get an answer here, keep an eye on that one.

    – Joe Enos
    Nov 27 '13 at 22:31

















47















Ever since the upgrade from MVC4 to MVC5, I have noticed an extra server header added to my web pages:



X-Frame-Options: SAMEORIGIN



I understand security benefits of adding this tag, but one of the pages is meant to be included inside an iframe from other projects (on other domains), this extra header is preventing this.



I have verified it is not the hosting IIS7 server that is adding the header, and when I downgraded back to MVC4 - the header is gone.



Does anyone know how to remove this default from MVC5?






asp.net-mvc







share|improve this question






















  • This same question was just asked, so if you don't get an answer here, keep an eye on that one.

    – Joe Enos
    Nov 27 '13 at 22:31













47












47








47


5






Ever since the upgrade from MVC4 to MVC5, I have noticed an extra server header added to my web pages:



X-Frame-Options: SAMEORIGIN



I understand security benefits of adding this tag, but one of the pages is meant to be included inside an iframe from other projects (on other domains), this extra header is preventing this.



I have verified it is not the hosting IIS7 server that is adding the header, and when I downgraded back to MVC4 - the header is gone.



Does anyone know how to remove this default from MVC5?






asp.net-mvc







share|improve this question














Ever since the upgrade from MVC4 to MVC5, I have noticed an extra server header added to my web pages:



X-Frame-Options: SAMEORIGIN



I understand security benefits of adding this tag, but one of the pages is meant to be included inside an iframe from other projects (on other domains), this extra header is preventing this.



I have verified it is not the hosting IIS7 server that is adding the header, and when I downgraded back to MVC4 - the header is gone.



Does anyone know how to remove this default from MVC5?






asp.net-mvc




asp.net-mvc






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 27 '13 at 22:29









Leszek R.Leszek R.

338135




338135












  • This same question was just asked, so if you don't get an answer here, keep an eye on that one.

    – Joe Enos
    Nov 27 '13 at 22:31

















  • This same question was just asked, so if you don't get an answer here, keep an eye on that one.

    – Joe Enos
    Nov 27 '13 at 22:31
















This same question was just asked, so if you don't get an answer here, keep an eye on that one.

– Joe Enos
Nov 27 '13 at 22:31





This same question was just asked, so if you don't get an answer here, keep an eye on that one.

– Joe Enos
Nov 27 '13 at 22:31












5 Answers
5






active

oldest

votes


















87














MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.



But we can turn this off in Application_Start in the Global.asax.cs.



Example



protected void Application_Start()

 AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



Update



I have written a post about this MVC5 prevents your website being loaded in an IFRAME






share|improve this answer




















  • 1





    What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

    – Joel
    Jul 21 '14 at 14:19






  • 1





    Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

    – Jared Kells
    Sep 28 '14 at 2:56












  • You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

    – harry180
    May 8 '15 at 11:07






  • 3





    This answer requires the System.Web.Helpers namespace in your global.asax file.

    – Jim Yarbro
    Sep 20 '15 at 12:32











  • Http Headers issues: stackoverflow.com/questions/34270192/…

    – Kiquenet
    Mar 18 at 14:23


















4














Try something like this in Global.asax:



protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 
 HttpContext.Current.Response.Headers.Remove("X-Frame-Options");


EDIT:



Look at answer of Colin Bacon. It is more correct than mine.



In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.






share|improve this answer

























  • It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

    – Leszek R.
    Nov 27 '13 at 22:47







  • 2





    We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

    – Colin Bacon
    Nov 28 '13 at 9:30











  • Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

    – Dmitri Trofimov
    Apr 27 '16 at 12:23











  • Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

    – StuartQ
    Jul 19 '16 at 9:30


















2














Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.



This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.



public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)

 string token = AntiForgery.GetHtml().ToString();
 HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

 httpResponse.Headers.Remove("X-Frame-Options");
 if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
 
 httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
 
 return new MvcHtmlString(token);






share|improve this answer






























    2














    If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.



    https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/






    share|improve this answer






























      0














      Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.



      public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter

       public override void OnResultExecuted(ResultExecutedContext filterContext)
       
       filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
       base.OnResultExecuted(filterContext);






      share|improve this answer























        Your Answer






        StackExchange.ifUsing("editor", function ()
        StackExchange.using("externalEditor", function ()
        StackExchange.using("snippets", function ()
        StackExchange.snippets.init();
        );
        );
        , "code-snippets");

        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "1"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );













        draft saved

        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20254303%2fmvc-5-prevents-access-to-content-via-iframe%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        5 Answers
        5






        active

        oldest

        votes








        5 Answers
        5






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        87














        MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.



        But we can turn this off in Application_Start in the Global.asax.cs.



        Example



        protected void Application_Start()

         AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



        Update



        I have written a post about this MVC5 prevents your website being loaded in an IFRAME






        share|improve this answer




















        • 1





          What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

          – Joel
          Jul 21 '14 at 14:19






        • 1





          Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

          – Jared Kells
          Sep 28 '14 at 2:56












        • You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

          – harry180
          May 8 '15 at 11:07






        • 3





          This answer requires the System.Web.Helpers namespace in your global.asax file.

          – Jim Yarbro
          Sep 20 '15 at 12:32











        • Http Headers issues: stackoverflow.com/questions/34270192/…

          – Kiquenet
          Mar 18 at 14:23















        87














        MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.



        But we can turn this off in Application_Start in the Global.asax.cs.



        Example



        protected void Application_Start()

         AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



        Update



        I have written a post about this MVC5 prevents your website being loaded in an IFRAME






        share|improve this answer




















        • 1





          What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

          – Joel
          Jul 21 '14 at 14:19






        • 1





          Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

          – Jared Kells
          Sep 28 '14 at 2:56












        • You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

          – harry180
          May 8 '15 at 11:07






        • 3





          This answer requires the System.Web.Helpers namespace in your global.asax file.

          – Jim Yarbro
          Sep 20 '15 at 12:32











        • Http Headers issues: stackoverflow.com/questions/34270192/…

          – Kiquenet
          Mar 18 at 14:23













        87












        87








        87







        MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.



        But we can turn this off in Application_Start in the Global.asax.cs.



        Example



        protected void Application_Start()

         AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



        Update



        I have written a post about this MVC5 prevents your website being loaded in an IFRAME






        share|improve this answer















        MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.



        But we can turn this off in Application_Start in the Global.asax.cs.



        Example



        protected void Application_Start()

         AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



        Update



        I have written a post about this MVC5 prevents your website being loaded in an IFRAME







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Dec 16 '13 at 16:30

























        answered Nov 28 '13 at 9:28









        Colin BaconColin Bacon

        13k63959




        13k63959







        • 1





          What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

          – Joel
          Jul 21 '14 at 14:19






        • 1





          Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

          – Jared Kells
          Sep 28 '14 at 2:56












        • You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

          – harry180
          May 8 '15 at 11:07






        • 3





          This answer requires the System.Web.Helpers namespace in your global.asax file.

          – Jim Yarbro
          Sep 20 '15 at 12:32











        • Http Headers issues: stackoverflow.com/questions/34270192/…

          – Kiquenet
          Mar 18 at 14:23












        • 1





          What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

          – Joel
          Jul 21 '14 at 14:19






        • 1





          Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

          – Jared Kells
          Sep 28 '14 at 2:56












        • You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

          – harry180
          May 8 '15 at 11:07






        • 3





          This answer requires the System.Web.Helpers namespace in your global.asax file.

          – Jim Yarbro
          Sep 20 '15 at 12:32











        • Http Headers issues: stackoverflow.com/questions/34270192/…

          – Kiquenet
          Mar 18 at 14:23







        1




        1





        What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

        – Joel
        Jul 21 '14 at 14:19





        What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

        – Joel
        Jul 21 '14 at 14:19




        1




        1





        Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

        – Jared Kells
        Sep 28 '14 at 2:56






        Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

        – Jared Kells
        Sep 28 '14 at 2:56














        You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

        – harry180
        May 8 '15 at 11:07





        You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

        – harry180
        May 8 '15 at 11:07




        3




        3





        This answer requires the System.Web.Helpers namespace in your global.asax file.

        – Jim Yarbro
        Sep 20 '15 at 12:32





        This answer requires the System.Web.Helpers namespace in your global.asax file.

        – Jim Yarbro
        Sep 20 '15 at 12:32













        Http Headers issues: stackoverflow.com/questions/34270192/…

        – Kiquenet
        Mar 18 at 14:23





        Http Headers issues: stackoverflow.com/questions/34270192/…

        – Kiquenet
        Mar 18 at 14:23













        4














        Try something like this in Global.asax:



        protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
         
         HttpContext.Current.Response.Headers.Remove("X-Frame-Options");


        EDIT:



        Look at answer of Colin Bacon. It is more correct than mine.



        In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.






        share|improve this answer

























        • It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

          – Leszek R.
          Nov 27 '13 at 22:47







        • 2





          We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

          – Colin Bacon
          Nov 28 '13 at 9:30











        • Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

          – Dmitri Trofimov
          Apr 27 '16 at 12:23











        • Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

          – StuartQ
          Jul 19 '16 at 9:30















        4














        Try something like this in Global.asax:



        protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
         
         HttpContext.Current.Response.Headers.Remove("X-Frame-Options");


        EDIT:



        Look at answer of Colin Bacon. It is more correct than mine.



        In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.






        share|improve this answer

























        • It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

          – Leszek R.
          Nov 27 '13 at 22:47







        • 2





          We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

          – Colin Bacon
          Nov 28 '13 at 9:30











        • Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

          – Dmitri Trofimov
          Apr 27 '16 at 12:23











        • Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

          – StuartQ
          Jul 19 '16 at 9:30













        4












        4








        4







        Try something like this in Global.asax:



        protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
         
         HttpContext.Current.Response.Headers.Remove("X-Frame-Options");


        EDIT:



        Look at answer of Colin Bacon. It is more correct than mine.



        In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.






        share|improve this answer















        Try something like this in Global.asax:



        protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
         
         HttpContext.Current.Response.Headers.Remove("X-Frame-Options");


        EDIT:



        Look at answer of Colin Bacon. It is more correct than mine.



        In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited May 23 '17 at 12:26









        Community

        11




        11










        answered Nov 27 '13 at 22:31









        Oleksii AzaOleksii Aza

        4,7092132




        4,7092132












        • It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

          – Leszek R.
          Nov 27 '13 at 22:47







        • 2





          We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

          – Colin Bacon
          Nov 28 '13 at 9:30











        • Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

          – Dmitri Trofimov
          Apr 27 '16 at 12:23











        • Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

          – StuartQ
          Jul 19 '16 at 9:30

















        • It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

          – Leszek R.
          Nov 27 '13 at 22:47







        • 2





          We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

          – Colin Bacon
          Nov 28 '13 at 9:30











        • Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

          – Dmitri Trofimov
          Apr 27 '16 at 12:23











        • Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

          – StuartQ
          Jul 19 '16 at 9:30
















        It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

        – Leszek R.
        Nov 27 '13 at 22:47






        It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

        – Leszek R.
        Nov 27 '13 at 22:47





        2




        2





        We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

        – Colin Bacon
        Nov 28 '13 at 9:30





        We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

        – Colin Bacon
        Nov 28 '13 at 9:30













        Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

        – Dmitri Trofimov
        Apr 27 '16 at 12:23





        Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

        – Dmitri Trofimov
        Apr 27 '16 at 12:23













        Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

        – StuartQ
        Jul 19 '16 at 9:30





        Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

        – StuartQ
        Jul 19 '16 at 9:30











        2














        Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.



        This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.



        public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)

         string token = AntiForgery.GetHtml().ToString();
         HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

         httpResponse.Headers.Remove("X-Frame-Options");
         if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
         
         httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
         
         return new MvcHtmlString(token);






        share|improve this answer



























          2














          Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.



          This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.



          public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)

           string token = AntiForgery.GetHtml().ToString();
           HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

           httpResponse.Headers.Remove("X-Frame-Options");
           if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
           
           httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
           
           return new MvcHtmlString(token);






          share|improve this answer

























            2












            2








            2







            Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.



            This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.



            public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)

             string token = AntiForgery.GetHtml().ToString();
             HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

             httpResponse.Headers.Remove("X-Frame-Options");
             if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
             
             httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
             
             return new MvcHtmlString(token);






            share|improve this answer













            Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.



            This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.



            public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)

             string token = AntiForgery.GetHtml().ToString();
             HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

             httpResponse.Headers.Remove("X-Frame-Options");
             if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
             
             httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
             
             return new MvcHtmlString(token);







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Aug 27 '15 at 14:36









            ZarephethZarepheth

            1,60021740




            1,60021740





















                2














                If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.



                https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/






                share|improve this answer



























                  2














                  If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.



                  https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/






                  share|improve this answer

























                    2












                    2








                    2







                    If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.



                    https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/






                    share|improve this answer













                    If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.



                    https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Jun 30 '16 at 18:47









                    long2knowlong2know

                    1,02789




                    1,02789





















                        0














                        Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.



                        public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter

                         public override void OnResultExecuted(ResultExecutedContext filterContext)
                         
                         filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
                         base.OnResultExecuted(filterContext);






                        share|improve this answer



























                          0














                          Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.



                          public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter

                           public override void OnResultExecuted(ResultExecutedContext filterContext)
                           
                           filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
                           base.OnResultExecuted(filterContext);






                          share|improve this answer

























                            0












                            0








                            0







                            Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.



                            public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter

                             public override void OnResultExecuted(ResultExecutedContext filterContext)
                             
                             filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
                             base.OnResultExecuted(filterContext);






                            share|improve this answer













                            Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.



                            public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter

                             public override void OnResultExecuted(ResultExecutedContext filterContext)
                             
                             filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
                             base.OnResultExecuted(filterContext);







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Mar 27 at 5:18









                            Denys WesselsDenys Wessels

                            13.7k1256105




                            13.7k1256105



























                                draft saved

                                draft discarded
















































                                Thanks for contributing an answer to Stack Overflow!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20254303%2fmvc-5-prevents-access-to-content-via-iframe%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                -

                                Popular posts from this blog

                                Save data to MySQL database using ExtJS and PHP [closed]2019 Community Moderator ElectionHow can I prevent SQL injection in PHP?Which MySQL data type to use for storing boolean valuesPHP: Delete an element from an arrayHow do I connect to a MySQL Database in Python?Should I use the datetime or timestamp data type in MySQL?How to get a list of MySQL user accountsHow Do You Parse and Process HTML/XML in PHP?Reference — What does this symbol mean in PHP?How does PHP 'foreach' actually work?Why shouldn't I use mysql_* functions in PHP?

                                Image
                                Does this AnyDice function accurately calculate the number of ogres you make unconcious with three 4th-level castings of Sleep? Making a sword in the stone, in a medieval world without magic Identifying the interval from A♭ to D♯ Why is Vishnu's skin colour mentioned as both white and blue in the Vishnu-sahasranaama? SQL Server Primary Login Restrictions Have researchers managed to "reverse time"? If so, what does that mean for physics? Why does Deadpool say "You're welcome, Canada," after shooting Ryan Reynolds in the end credits? Check this translation of Amores 1.3.26 Why did it take so long to abandon sail after steamships were demonstrated? Plot a function of two variables equal 0 2D counterpart of std::array in C++17 Could the Saturn V actually have launched astronauts around Venus? Why is "das Weib" grammatically neuter? How to make healing in an exploration game interesting Life insurance that covers only simulta
                                Read more

                                Compiling GNU Global with universal-ctags support Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Data science time! April 2019 and salary with experience The Ask Question Wizard is Live!Tags for Emacs: Relationship between etags, ebrowse, cscope, GNU Global and exuberant ctagsVim and Ctags tips and trickscscope or ctags why choose one over the other?scons and ctagsctags cannot open option file “.ctags”Adding tag scopes in universal-ctagsShould I use Universal-ctags?Universal ctags on WindowsHow do I install GNU Global with universal ctags support using Homebrew?Universal ctags with emacsHow to highlight ctags generated by Universal Ctags in Vim?

                                Image
                                How to ask rejected full-time candidates to apply to teach individual courses? Why these surprising proportionalities of integrals involving odd zeta values? A German immigrant ancestor has a "Registration Affidavit of Alien Enemy" on file. What does that mean exactly? Why did Israel vote against lifting the American embargo on Cuba? Unix AIX passing variable and arguments to expect and spawn Kepler's 3rd law: ratios don't fit data Why does my GNOME settings mention "Moto C Plus"? Continue tikz picture on next page What documents does someone with a long-term visa need to travel to another Schengen country? “Since the train was delayed for more than an hour, passengers were given a full refund.” – Why is there no article before “passengers”? How to create a command for the "strange m" symbol in latex? How to get a single big right brace? Is the Mordenkainen's Sword spell underpowered? Why did Bronn offer to be Tyrion L
                                Read more

                                Add ONERROR event to image from jsp tldHow to add an image to a JPanel?Saving image from PHP URLHTML img scalingCheck if an image is loaded (no errors) with jQueryHow to force an <img> to take up width, even if the image is not loadedHow do I populate hidden form field with a value set in Spring ControllerStyling Raw elements Generated from JSP tagds with Jquery MobileLimit resizing of images with explicitly set width and height attributeserror TLD use in a jsp fileJsp tld files cannot be resolved

                                Image
                                At which point does a character regain all their Hit Dice? Why are on-board computers allowed to change controls without notifying the pilots? How do I keep an essay about "feeling flat" from feeling flat? Time travel short story where a man arrives in the late 19th century in a time machine and then sends the machine back into the past How to be diplomatic in refusing to write code that breaches the privacy of our users Understanding "audieritis" in Psalm 94 Greatest common substring Go Pregnant or Go Home Why did Kant, Hegel, and Adorno leave some words and phrases in the Greek alphabet? What to do with wrong results in talks? Failed to fetch jessie backports repository Increase performance creating Mandelbrot set in python How can I replace every global instance of "x[2]" with "x_2" What are the ramifications of creating a homebrew world without an Astral Plane? Are there any comparative studies done between Ashtava
                                Read more