MVC 5 prevents access to content via IframeDisplay MVC page in iframe in another siteServer Cannot Append Header After HTTP headers have been sent Exception at @Html.AntiForgeryX-Frame-Options not working IIS web.configAfter update to MVC 5, iframe no longer worksIIS is adding default 'X-Frame-Options:SAMEORIGIN' even then I added new HTTP response header in default website level as'X-Frame-Options:ALLOW'.Can't display content in a frame“this content cannot be viewed in a frame” error the first time I load the pageIIS defaults X-Frame-Options Deny every time I publish my websiteCompile Views in ASP.NET MVCHow do you handle multiple submit buttons in ASP.NET MVC Framework?In MVC, how do I return a string result?ASP.NET MVC - Set custom IIdentity or IPrincipalFile Upload ASP.NET MVC 3.0After update to MVC 5, iframe no longer worksSameOrigin Policy interfering with Google DocsAllow frame from different domain with MVC5Downgrade MVC 5 to mvc 4Cross domain communication is not happening after adding Xframeoptions : Sameorigin

What makes accurate emulation of old systems a difficult task?

Multiple options vs single option UI

Philosophical question on logistic regression: why isn't the optimal threshold value trained?

What was Apollo 13's "Little Jolt" after MECO?

Why did C use the -> operator instead of reusing the . operator?

Creating a chemical industry from a medieval tech level without petroleum

Older movie/show about humans on derelict alien warship which refuels by passing through a star

Why do games have consumables?

How long after the last departure shall the airport stay open for an emergency return?

A strange hotel

What is the unit of time_lock_delta in LND?

How important is it that $TERM is correct?

Work requires me to come in early to start computer but wont let me clock in to get paid for it

Check if a string is entirely made of the same substring

Prove that the countable union of countable sets is also countable

How do I produce this Greek letter koppa: Ϟ in pdfLaTeX?

What *exactly* is electrical current, voltage, and resistance?

All ASCII characters with a given bit count

"Whatever a Russian does, they end up making the Kalashnikov gun"? Are there any similar proverbs in English?

"My boss was furious with me and I have been fired" vs. "My boss was furious with me and I was fired"

Can a stored procedure reference the database in which it is stored?

What does MLD stand for?

How much cash can I safely carry into the USA and avoid civil forfeiture?

How can I practically buy stocks?



MVC 5 prevents access to content via Iframe


Display MVC page in iframe in another siteServer Cannot Append Header After HTTP headers have been sent Exception at @Html.AntiForgeryX-Frame-Options not working IIS web.configAfter update to MVC 5, iframe no longer worksIIS is adding default 'X-Frame-Options:SAMEORIGIN' even then I added new HTTP response header in default website level as'X-Frame-Options:ALLOW'.Can't display content in a frame“this content cannot be viewed in a frame” error the first time I load the pageIIS defaults X-Frame-Options Deny every time I publish my websiteCompile Views in ASP.NET MVCHow do you handle multiple submit buttons in ASP.NET MVC Framework?In MVC, how do I return a string result?ASP.NET MVC - Set custom IIdentity or IPrincipalFile Upload ASP.NET MVC 3.0After update to MVC 5, iframe no longer worksSameOrigin Policy interfering with Google DocsAllow frame from different domain with MVC5Downgrade MVC 5 to mvc 4Cross domain communication is not happening after adding Xframeoptions : Sameorigin






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








47















Ever since the upgrade from MVC4 to MVC5, I have noticed an extra server header added to my web pages:



X-Frame-Options: SAMEORIGIN



I understand security benefits of adding this tag, but one of the pages is meant to be included inside an iframe from other projects (on other domains), this extra header is preventing this.



I have verified it is not the hosting IIS7 server that is adding the header, and when I downgraded back to MVC4 - the header is gone.



Does anyone know how to remove this default from MVC5?






asp.net-mvc







share|improve this question






















  • This same question was just asked, so if you don't get an answer here, keep an eye on that one.

    – Joe Enos
    Nov 27 '13 at 22:31

















47















Ever since the upgrade from MVC4 to MVC5, I have noticed an extra server header added to my web pages:



X-Frame-Options: SAMEORIGIN



I understand security benefits of adding this tag, but one of the pages is meant to be included inside an iframe from other projects (on other domains), this extra header is preventing this.



I have verified it is not the hosting IIS7 server that is adding the header, and when I downgraded back to MVC4 - the header is gone.



Does anyone know how to remove this default from MVC5?






asp.net-mvc







share|improve this question






















  • This same question was just asked, so if you don't get an answer here, keep an eye on that one.

    – Joe Enos
    Nov 27 '13 at 22:31













47












47








47


5






Ever since the upgrade from MVC4 to MVC5, I have noticed an extra server header added to my web pages:



X-Frame-Options: SAMEORIGIN



I understand security benefits of adding this tag, but one of the pages is meant to be included inside an iframe from other projects (on other domains), this extra header is preventing this.



I have verified it is not the hosting IIS7 server that is adding the header, and when I downgraded back to MVC4 - the header is gone.



Does anyone know how to remove this default from MVC5?






asp.net-mvc







share|improve this question














Ever since the upgrade from MVC4 to MVC5, I have noticed an extra server header added to my web pages:



X-Frame-Options: SAMEORIGIN



I understand security benefits of adding this tag, but one of the pages is meant to be included inside an iframe from other projects (on other domains), this extra header is preventing this.



I have verified it is not the hosting IIS7 server that is adding the header, and when I downgraded back to MVC4 - the header is gone.



Does anyone know how to remove this default from MVC5?






asp.net-mvc




asp.net-mvc






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 27 '13 at 22:29









Leszek R.Leszek R.

338135




338135












  • This same question was just asked, so if you don't get an answer here, keep an eye on that one.

    – Joe Enos
    Nov 27 '13 at 22:31

















  • This same question was just asked, so if you don't get an answer here, keep an eye on that one.

    – Joe Enos
    Nov 27 '13 at 22:31
















This same question was just asked, so if you don't get an answer here, keep an eye on that one.

– Joe Enos
Nov 27 '13 at 22:31





This same question was just asked, so if you don't get an answer here, keep an eye on that one.

– Joe Enos
Nov 27 '13 at 22:31












5 Answers
5






active

oldest

votes


















87














MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.



But we can turn this off in Application_Start in the Global.asax.cs.



Example



protected void Application_Start()

 AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



Update



I have written a post about this MVC5 prevents your website being loaded in an IFRAME






share|improve this answer




















  • 1





    What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

    – Joel
    Jul 21 '14 at 14:19






  • 1





    Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

    – Jared Kells
    Sep 28 '14 at 2:56












  • You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

    – harry180
    May 8 '15 at 11:07






  • 3





    This answer requires the System.Web.Helpers namespace in your global.asax file.

    – Jim Yarbro
    Sep 20 '15 at 12:32











  • Http Headers issues: stackoverflow.com/questions/34270192/…

    – Kiquenet
    Mar 18 at 14:23


















4














Try something like this in Global.asax:



protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 
 HttpContext.Current.Response.Headers.Remove("X-Frame-Options");


EDIT:



Look at answer of Colin Bacon. It is more correct than mine.



In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.






share|improve this answer

























  • It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

    – Leszek R.
    Nov 27 '13 at 22:47







  • 2





    We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

    – Colin Bacon
    Nov 28 '13 at 9:30











  • Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

    – Dmitri Trofimov
    Apr 27 '16 at 12:23











  • Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

    – StuartQ
    Jul 19 '16 at 9:30


















2














Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.



This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.



public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)

 string token = AntiForgery.GetHtml().ToString();
 HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

 httpResponse.Headers.Remove("X-Frame-Options");
 if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
 
 httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
 
 return new MvcHtmlString(token);






share|improve this answer






























    2














    If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.



    https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/






    share|improve this answer






























      0














      Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.



      public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter

       public override void OnResultExecuted(ResultExecutedContext filterContext)
       
       filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
       base.OnResultExecuted(filterContext);






      share|improve this answer























        Your Answer






        StackExchange.ifUsing("editor", function ()
        StackExchange.using("externalEditor", function ()
        StackExchange.using("snippets", function ()
        StackExchange.snippets.init();
        );
        );
        , "code-snippets");

        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "1"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );













        draft saved

        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20254303%2fmvc-5-prevents-access-to-content-via-iframe%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        5 Answers
        5






        active

        oldest

        votes








        5 Answers
        5






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        87














        MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.



        But we can turn this off in Application_Start in the Global.asax.cs.



        Example



        protected void Application_Start()

         AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



        Update



        I have written a post about this MVC5 prevents your website being loaded in an IFRAME






        share|improve this answer




















        • 1





          What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

          – Joel
          Jul 21 '14 at 14:19






        • 1





          Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

          – Jared Kells
          Sep 28 '14 at 2:56












        • You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

          – harry180
          May 8 '15 at 11:07






        • 3





          This answer requires the System.Web.Helpers namespace in your global.asax file.

          – Jim Yarbro
          Sep 20 '15 at 12:32











        • Http Headers issues: stackoverflow.com/questions/34270192/…

          – Kiquenet
          Mar 18 at 14:23















        87














        MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.



        But we can turn this off in Application_Start in the Global.asax.cs.



        Example



        protected void Application_Start()

         AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



        Update



        I have written a post about this MVC5 prevents your website being loaded in an IFRAME






        share|improve this answer




















        • 1





          What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

          – Joel
          Jul 21 '14 at 14:19






        • 1





          Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

          – Jared Kells
          Sep 28 '14 at 2:56












        • You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

          – harry180
          May 8 '15 at 11:07






        • 3





          This answer requires the System.Web.Helpers namespace in your global.asax file.

          – Jim Yarbro
          Sep 20 '15 at 12:32











        • Http Headers issues: stackoverflow.com/questions/34270192/…

          – Kiquenet
          Mar 18 at 14:23













        87












        87








        87







        MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.



        But we can turn this off in Application_Start in the Global.asax.cs.



        Example



        protected void Application_Start()

         AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



        Update



        I have written a post about this MVC5 prevents your website being loaded in an IFRAME






        share|improve this answer















        MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.



        But we can turn this off in Application_Start in the Global.asax.cs.



        Example



        protected void Application_Start()

         AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



        Update



        I have written a post about this MVC5 prevents your website being loaded in an IFRAME







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Dec 16 '13 at 16:30

























        answered Nov 28 '13 at 9:28









        Colin BaconColin Bacon

        13k63959




        13k63959







        • 1





          What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

          – Joel
          Jul 21 '14 at 14:19






        • 1





          Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

          – Jared Kells
          Sep 28 '14 at 2:56












        • You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

          – harry180
          May 8 '15 at 11:07






        • 3





          This answer requires the System.Web.Helpers namespace in your global.asax file.

          – Jim Yarbro
          Sep 20 '15 at 12:32











        • Http Headers issues: stackoverflow.com/questions/34270192/…

          – Kiquenet
          Mar 18 at 14:23












        • 1





          What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

          – Joel
          Jul 21 '14 at 14:19






        • 1





          Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

          – Jared Kells
          Sep 28 '14 at 2:56












        • You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

          – harry180
          May 8 '15 at 11:07






        • 3





          This answer requires the System.Web.Helpers namespace in your global.asax file.

          – Jim Yarbro
          Sep 20 '15 at 12:32











        • Http Headers issues: stackoverflow.com/questions/34270192/…

          – Kiquenet
          Mar 18 at 14:23







        1




        1





        What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

        – Joel
        Jul 21 '14 at 14:19





        What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per stackoverflow.com/a/20254341/65611)?

        – Joel
        Jul 21 '14 at 14:19




        1




        1





        Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

        – Jared Kells
        Sep 28 '14 at 2:56






        Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

        – Jared Kells
        Sep 28 '14 at 2:56














        You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

        – harry180
        May 8 '15 at 11:07





        You could just add this to your web.config <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>

        – harry180
        May 8 '15 at 11:07




        3




        3





        This answer requires the System.Web.Helpers namespace in your global.asax file.

        – Jim Yarbro
        Sep 20 '15 at 12:32





        This answer requires the System.Web.Helpers namespace in your global.asax file.

        – Jim Yarbro
        Sep 20 '15 at 12:32













        Http Headers issues: stackoverflow.com/questions/34270192/…

        – Kiquenet
        Mar 18 at 14:23





        Http Headers issues: stackoverflow.com/questions/34270192/…

        – Kiquenet
        Mar 18 at 14:23













        4














        Try something like this in Global.asax:



        protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
         
         HttpContext.Current.Response.Headers.Remove("X-Frame-Options");


        EDIT:



        Look at answer of Colin Bacon. It is more correct than mine.



        In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.






        share|improve this answer

























        • It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

          – Leszek R.
          Nov 27 '13 at 22:47







        • 2





          We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

          – Colin Bacon
          Nov 28 '13 at 9:30











        • Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

          – Dmitri Trofimov
          Apr 27 '16 at 12:23











        • Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

          – StuartQ
          Jul 19 '16 at 9:30















        4














        Try something like this in Global.asax:



        protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
         
         HttpContext.Current.Response.Headers.Remove("X-Frame-Options");


        EDIT:



        Look at answer of Colin Bacon. It is more correct than mine.



        In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.






        share|improve this answer

























        • It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

          – Leszek R.
          Nov 27 '13 at 22:47







        • 2





          We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

          – Colin Bacon
          Nov 28 '13 at 9:30











        • Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

          – Dmitri Trofimov
          Apr 27 '16 at 12:23











        • Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

          – StuartQ
          Jul 19 '16 at 9:30













        4












        4








        4







        Try something like this in Global.asax:



        protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
         
         HttpContext.Current.Response.Headers.Remove("X-Frame-Options");


        EDIT:



        Look at answer of Colin Bacon. It is more correct than mine.



        In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.






        share|improve this answer















        Try something like this in Global.asax:



        protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
         
         HttpContext.Current.Response.Headers.Remove("X-Frame-Options");


        EDIT:



        Look at answer of Colin Bacon. It is more correct than mine.



        In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited May 23 '17 at 12:26









        Community

        11




        11










        answered Nov 27 '13 at 22:31









        Oleksii AzaOleksii Aza

        4,7092132




        4,7092132












        • It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

          – Leszek R.
          Nov 27 '13 at 22:47







        • 2





          We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

          – Colin Bacon
          Nov 28 '13 at 9:30











        • Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

          – Dmitri Trofimov
          Apr 27 '16 at 12:23











        • Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

          – StuartQ
          Jul 19 '16 at 9:30

















        • It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

          – Leszek R.
          Nov 27 '13 at 22:47







        • 2





          We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

          – Colin Bacon
          Nov 28 '13 at 9:30











        • Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

          – Dmitri Trofimov
          Apr 27 '16 at 12:23











        • Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

          – StuartQ
          Jul 19 '16 at 9:30
















        It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

        – Leszek R.
        Nov 27 '13 at 22:47






        It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though.

        – Leszek R.
        Nov 27 '13 at 22:47





        2




        2





        We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

        – Colin Bacon
        Nov 28 '13 at 9:30





        We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

        – Colin Bacon
        Nov 28 '13 at 9:30













        Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

        – Dmitri Trofimov
        Apr 27 '16 at 12:23





        Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one.

        – Dmitri Trofimov
        Apr 27 '16 at 12:23













        Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

        – StuartQ
        Jul 19 '16 at 9:30





        Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame?

        – StuartQ
        Jul 19 '16 at 9:30











        2














        Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.



        This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.



        public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)

         string token = AntiForgery.GetHtml().ToString();
         HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

         httpResponse.Headers.Remove("X-Frame-Options");
         if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
         
         httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
         
         return new MvcHtmlString(token);






        share|improve this answer



























          2














          Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.



          This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.



          public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)

           string token = AntiForgery.GetHtml().ToString();
           HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

           httpResponse.Headers.Remove("X-Frame-Options");
           if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
           
           httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
           
           return new MvcHtmlString(token);






          share|improve this answer

























            2












            2








            2







            Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.



            This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.



            public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)

             string token = AntiForgery.GetHtml().ToString();
             HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

             httpResponse.Headers.Remove("X-Frame-Options");
             if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
             
             httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
             
             return new MvcHtmlString(token);






            share|improve this answer













            Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.



            This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.



            public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)

             string token = AntiForgery.GetHtml().ToString();
             HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

             httpResponse.Headers.Remove("X-Frame-Options");
             if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
             
             httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
             
             return new MvcHtmlString(token);







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Aug 27 '15 at 14:36









            ZarephethZarepheth

            1,60021740




            1,60021740





















                2














                If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.



                https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/






                share|improve this answer



























                  2














                  If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.



                  https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/






                  share|improve this answer

























                    2












                    2








                    2







                    If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.



                    https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/






                    share|improve this answer













                    If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.



                    https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Jun 30 '16 at 18:47









                    long2knowlong2know

                    1,02789




                    1,02789





















                        0














                        Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.



                        public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter

                         public override void OnResultExecuted(ResultExecutedContext filterContext)
                         
                         filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
                         base.OnResultExecuted(filterContext);






                        share|improve this answer



























                          0














                          Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.



                          public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter

                           public override void OnResultExecuted(ResultExecutedContext filterContext)
                           
                           filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
                           base.OnResultExecuted(filterContext);






                          share|improve this answer

























                            0












                            0








                            0







                            Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.



                            public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter

                             public override void OnResultExecuted(ResultExecutedContext filterContext)
                             
                             filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
                             base.OnResultExecuted(filterContext);






                            share|improve this answer













                            Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.



                            public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter

                             public override void OnResultExecuted(ResultExecutedContext filterContext)
                             
                             filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
                             base.OnResultExecuted(filterContext);







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Mar 27 at 5:18









                            Denys WesselsDenys Wessels

                            13.7k1256105




                            13.7k1256105



























                                draft saved

                                draft discarded
















































                                Thanks for contributing an answer to Stack Overflow!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20254303%2fmvc-5-prevents-access-to-content-via-iframe%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                -

                                Popular posts from this blog

                                1928 у кіно

                                Image
                                Роки в кіно   1870-ті   1880-ті 1888  • 1889 1890-ті 1890  • 1891  • 1892  • 1893  • 1894 1895  • 1896  • 1897  • 1898  • 1899 1900-ті 1900  • 1901  • 1902  • 1903  • 1904 1905  • 1906  • 1907  • 1908  • 1909 1910-ті 1910  • 1911  • 1912  • 1913  • 1914 1915  • 1916  • 1917  • 1918  • 1919 1920-ті 1920  • 1921  • 1922  • 1923  • 1924 1925  • 1926  • 1927  • 1928  • 1929 1930-ті 1930  • 1931  • 1932  • 1933  • 1934 1935  • 1936  • 1937  • 1938  • 1939 1940-ві 1940  • 1941  • 1942  • 1943  • 1944 1945  • 1946  • 1947  • 1948  • 1949 1950-ті 1950  • 1951  • 1952  • 1953  • 1954 1955  • 1956  • 1957  • 1958  • 1959 1960-ті 1960  • 1961  • 1962  • 1963  • 1964 1965  • 1966  • 1967  • 1968  • 1969 1970-ті 1970  • 1971  • 1972  • 1973  • 1974 1975  • 1976  • 1977  • 1978  • 1979 1980-ті 1980  • 1981  • 1982  • 1983  • 1984 1985  • 1986  • 1987  • 1988  • 1989 1990-ті 1990  • 1991  • 1992  • 1993  • 1994 1995  • 1996  • 1997  • 1998  • 1999 2000-ні 2000  • 2001  • 2002  • 2003  • 2004 2005
                                Read more

                                Захаров Федір Захарович

                                Image
                                Федір Захарович Захаров Федір Захаров, 1986 рік Народження 5 вересня 1919 ( 1919-09-05 ) Олександрівське [d] , Смоленська губернія , Російська СФРР Смерть 29 вересня 1997 ( 1997-09-29 ) (78 років)   Ялта , Автономна Республіка Крим , Україна Громадянство  СРСР →  Україна Навчання Московське художньо-промислове училище імені М. І. Калініна (1935—1941) Московський художній інститут імені В. І. Сурикова (1943—1950) Діяльність художник Напрямок імпресіонізм Роки творчості 1950—1994 Покровитель А. Лентулов І. Чекмасов Г. Ряжський Вплив російський живопис кінця 19 — початку 20 століть Вплив на Бондар Іван Іванович Нагороди Премії Звання Захаров Федір Захарович у Вікісховищі ? У Вікіпедії є статті про інших людей з прізвищем Захаров. Федір Захарович Захаров ( 5 вересня 1919 ( 1919-09-05 ) , Олександрівське [d] , Російська СФРР  — 29 вересня 1997 ( 1997-09-29 ) , Ялта , Україна ) — радянський та український художник, Заслужений діяч мистецтв УРСР (1970), народний художник УРС
                                Read more

                                Ель Греко

                                Image
                                Ель Греко ісп. El Greco «Портрет старого» (Автопортрет Ель Греко), бл. 1595–1600, олія на полотні При народженні Доменікос Теотокопулос Народження 1541 ( 1541 ) Крит, Венеціанська Республіка (нині Греція) Смерть 7 квітня 1614 ( 1614-04-07 )   Толедо, Іспанія Поховання Монастир Санто Домінго де Сілос [d] Національність грек Громадянство  Іспанія Релігія Римо-католицька церква Жанр портретний живопис [d] , міфологічний живопис і релігійний живопис [d] Діяльність художник , скульптор , архітектор , митець Напрямок маньєризм Вплив Тіціан Твори Воскресіння [d] , Краєвид Толедо і Погребіння графа Оргаса [d] Автограф Ель Греко у Вікісховищі ? Ель Гре́ко (ісп. El Greco — грек, справжнє ім'я Доменікос Теотокопулос (грец. Δομήνικος Θεοτοκόπουλος ), *1541, Крит, Венеціанська Республіка — †7 квітня 1614, Толедо, Іспанія) — іспанський художник грецького походження. Один із представників Критської школи . Зміст 1 Походження і навчання 2 Ікони 3 Автопортрети 4 Італійський
                                Read more