Multiple 'X-Frame-Options' headers with conflicting values
Asked Answered
E

4

13

Update: This works for IE but Chrome is still throwing this error. I am attempting to i-frame a site I own by another site I own. Here is error message I am getting in the JS console on Chrome:

Multiple 'X-Frame-Options' headers with conflicting values ('AllowAll, SAMEORIGIN, AllowAll') encountered when loading 'http://subdomain.mysite.com:8080/Dir/'. Falling back to 'DENY'.
Refused to display 'http://subdomain.mysite.com:8080/Dir/' in a frame because it set 'X-Frame-Options' to 'AllowAll, SAMEORIGIN, AllowAll'.

I did a search for SAMEORIGIN everywhere I am not setting this ANYWHERE.

The main site is www.mysite.com and the other site is subdomain.mysite.com. Obviously same-origin policies keep me from doing this. So i have set the X-Frame-Options header on my subdomain.mysite.com to "AllowAll". On the begin-request method i have added this:

HttpContext.Current.Response.Headers.Remove("X-Frame-Options");
HttpContext.Current.Response.AddHeader("X-Frame-Options", "AllowAll");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");

on the page level I have added this:

<meta name="x-frame-options" content="allowall" />

In Javascript i have added this:

<script type="text/javascript">
    document.domain = "mysite.com";
</script>

I am running out of things to try... Thank you in advance for your assistance.

Equitant answered 4/3, 2014 at 20:28 Comment(0)
E
2

Turns out MVC4 adds the header by itself (unsolicited). The only way to get around this was to explicitly remove the header.

Response.Headers.Remove("X-Frame-Options");

There may be a way to convince MVC4 not to do this but it did not service in my scores of Google queries.

Equitant answered 5/3, 2014 at 4:32 Comment(1)
I have a similar question. I am wondering if you can have a look.Bandwagon
P
22

In my case it was the anti-forgery token that was adding the header. Adding this in Application_Start stopped it from adding it:

AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

I then added the X-Frame-Options in the web.config as I needed the whole site to be in an IFrame.

Pirogue answered 5/6, 2014 at 8:58 Comment(2)
Yep, me too...+1 for the time-savingsFootloose
@MiketheTike I have a similar question. I am wondering if you can have a look.Bandwagon
E
2

Turns out MVC4 adds the header by itself (unsolicited). The only way to get around this was to explicitly remove the header.

Response.Headers.Remove("X-Frame-Options");

There may be a way to convince MVC4 not to do this but it did not service in my scores of Google queries.

Equitant answered 5/3, 2014 at 4:32 Comment(1)
I have a similar question. I am wondering if you can have a look.Bandwagon
B
1

Some further detail to to Mike the Tike's answer, this is added to the application_start method in global.asax.cs, where you'll need the using directive system.web.helpers

Business answered 28/8, 2014 at 9:9 Comment(0)
M
0

IIS might be adding a second header after yours (you can see this by pressing F12 for Developer Tools in Chrome, attempt to load the page, then click Network, and right-click on the failed page to copy the response headers to have a look).

To stop IIS from adding the header:

  • Run IIS Manager
  • Select your website
  • Double click the HTTP Response Headers for the application (or on older IIS, right click on the website, click Properties, then HTTP Headers)
  • Then you can override or remove the extra header
Monody answered 5/3, 2014 at 1:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.