I recently migrated a project from ASP.NET MVC 4 to MVC 5 and the process went quite smoothly, except that all of a sudden my webpages were being returned with the X-Frame-Options header set with the value ‘SAMEORIGIN‘. This is actually a reasonable default as it helps mitigate the risk of ClickJacking. The website in question, however, is designed to run in an iFrame, and this header immediately caused issues.
After a fruitless search of all my code in Visual Studio for ‘X-Frame-Options’ and ‘SAMEORIGIN’, I decided to try Windows Grep as a last resort, and it found that ‘SAMEORIGIN’ was present in System.Web.WebPages.dll. Thanks to Microsoft making ASP.NET MVC open source, I was able to find the relevant code quite easily on GitHub; it turns out that the AntiForgeryWorker class adds the header when you call Html.AntiForgeryToken() as of August this year. Even better, there’s an easy way to prevent this behaviour: set the static property AntiForgeryConfig.SuppressXFrameOptionsHeader to true (I’ve done this in my Application_Start() method). MSDN doesn’t didn’t even document this property yet, so I’m lucky to have found it. Two other bloggers have written about this in English and Japanese.
Thank you very much for this hint. It saved me much time when moved a website under facebook tab iframe.
Thanks for the info. This saved me a lot of time!!
Today you are my hero! Thanks for sharing this!
Awesome, you saved my day. Thank you
thank you
Yes! Thank-you. Same issue, been beating my head against the wall.
Looks like it is now documented also.
https://msdn.microsoft.com/en-us/library/system.web.helpers.antiforgeryconfig.suppressxframeoptionsheader(v=vs.111).aspx
saved my life today, thanks big-time