Menu
Does anyone know why the response returned by an ASP.NET MVC controller contains the X-FRAME-OPTIONS: SAMEORIGIN header so many times? I think this might be a bug in the framework (using version 4.5.1).
It seems as though the header is added once for each form on the page. My work around is to disable the header in MVC and add it in the web.config file instead, like this:
Global.asax.cs:
protected void Application_Start()
{
System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
Web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
205
You can remove the HTTP header X-Frame-Options: SAMEORIGIN from WordPress by removing the send_frame_options_header function from the admin_init and login_init hooks. For example, you can add the following to your theme's functions.
In the feature list in the middle, double-click the HTTP Response Headers icon. In the list of headers that appears, select X-Frame-Options. Click Remove in the Actions pane on the right side.
Enabling X-Frame-Options headerOpen up the Network panel in Chrome DevTools and if your site is using a security header it will show up on the Headers tab. Another quick way to check your security headers is to quickly scan your site with a free tool, securityheaders.io, created by Scott Helme.
The header is added each time you call @Html.AntiForgeryToken(). Which means if you have multiple forms on your pages and each form includes that call, you'll get duplicate headers.
A comment to the question references this blog: http://daveonsoftware.blogspot.ru/2015_03_01_archive.html. I think that's a good explanation of the problem. In my application, I picked option #3.
191
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
