MVC 5 prevents access to content via Iframe

Asked 27/11, 2013 at 22:29 Answered 27/3, 2019 at 5:18

Ever since the upgrade from MVC4 to MVC5, I have noticed an extra server header added to my web pages:

X-Frame-Options: SAMEORIGIN

I understand security benefits of adding this tag, but one of the pages is meant to be included inside an iframe from other projects (on other domains), this extra header is preventing this.

I have verified it is not the hosting IIS7 server that is adding the header, and when I downgraded back to MVC4 - the header is gone.

Does anyone know how to remove this default from MVC5?

Flora answered 27/11, 2013 at 22:29 Comment(2)

This same question was just asked, so if you don't get an answer here, keep an eye on that one. – Quizzical 27/11, 2013 at 22:31

Does this answer your question? Setting Access-Control-Allow-Origin in ASP.Net MVC - simplest possible method – Psychasthenia 28/11, 2023 at 20:37

104

MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.

But we can turn this off in Application_Start in the Global.asax.cs.

Example

protected void Application_Start()
{
    AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}

Update

I have written a post about this MVC5 prevents your website being loaded in an IFRAME

Sarracenia answered 28/11, 2013 at 9:28 Comment(5)

What if I only want to allow certain pages to be iframe loaded? Previously I had a custom attribute AllowAnyOriginAttribute : ActionFilterAttribute. Can I change the configuration per request, or is Application_PreSendRequestHeaders still preferred in this scenario (as per https://mcmap.net/q/329738/-mvc-5-prevents-access-to-content-via-iframe)? – Munro 21/7, 2014 at 14:19

Thanks, this helper @Html.AntiForgeryToken() is what causes the header to be added. In AntiForgeryWorker.cs: if (!this._config.SuppressXFrameOptionsHeader) httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN"); – Sagittate 28/9, 2014 at 2:56

You could just add this to your web.config

<system.webServer>   ...    <httpProtocol>     <customHeaders>       <add name="X-Frame-Options" value="SAMEORIGIN" />     </customHeaders>   </httpProtocol>    ... </system.webServer>

– Fanestil 8/5, 2015 at 11:7

This answer requires the System.Web.Helpers namespace in your global.asax file. – Euphonium 20/9, 2015 at 12:32

Http Headers issues: #34270692 – Brasserie 18/3, 2019 at 14:23

Try something like this in Global.asax:

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
   HttpContext.Current.Response.Headers.Remove("X-Frame-Options");
 }

EDIT:

Look at answer of Colin Bacon. It is more correct than mine.

In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in Application_Start, it is more cleaner way for doing this.

Shirring answered 27/11, 2013 at 22:31 Comment(4)

It feels a bit like a hack, right before the page is sent out, the tag is stripped, but it works, so I am accepting your answer. - It would be nice to know why the tag is being added though. – Flora 27/11, 2013 at 22:47

We can actually suppress this in app_start with AntiForgeryConfig.SuppressXFrameOptionsHeader = true; – Sarracenia 28/11, 2013 at 9:30

Nice. Easy fix for a not so good code with 300 form tags with antiforgeries on each one. – Fiore 27/4, 2016 at 12:23

Isn't this the better answer if you only want to allow some pages to be accessed via an IFrame? – Gorden 19/7, 2016 at 9:30

If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.

https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/

Cause answered 30/6, 2016 at 18:47 Comment(0)

Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.

public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter
{
    public override void OnResultExecuted(ResultExecutedContext filterContext)
    {
        filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
        base.OnResultExecuted(filterContext);
    }
}

Patrimony answered 27/3, 2019 at 5:18 Comment(0)

Here is a replacement Extension method for the HtmlHelper class. It will first clear all X-Frame-Options headers and then add back a single X-Frame-Options header normally added by the built-in AntiForgeryToken method.

This technique respects the SuppressXFrameOptionsHeader setting, but has the downside of removing all previously added X-Frame-Options headers, even those with values other than SAMEORIGIN.

public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)
{
    string token = AntiForgery.GetHtml().ToString();
    HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

    httpResponse.Headers.Remove("X-Frame-Options");
    if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
    {
        httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
    }
    return new MvcHtmlString(token);
}

Longs answered 27/8, 2015 at 14:36 Comment(0)

Recommended topics

Hot tags