Duplicate X Frame Options Same Origin

X-Frame Options is a technology that helps prevent against clickjacking; clickjacking is a very clever hack as it fools the user into thinking they are clicking on a trusted link, when in fact they are clicking on a frame.

With X-Frame Options, you can instruct the browser to either allow or deny the page from being framed by using headers.

An issue arises when using Html.AntiForgeryToken() as this creates its own X-Frame as can be seen in the code below.

To solve this problem, I will show you two options.

The first option is to create a custom attribute, then create a master controller and allow all controllers that you require to inherit from it.

The second option is a bit more 'blunt' in that we hard code the suppression in the view as such:

Response.Headers.Remove("X-Frame-Options")
@Html.AntiForgeryToken()

Now in the web.config file > CustomHeaders we can add<add name="X-Frame-Options" value="SAMEORIGIN" /> or if using nwebsec we can add x-Frame-Options policy="SameOrigin" />

This will allow us to protect the entire site but remove duplicate X-Frame Options.

Either option will solve the problem of removing the duplicate X-Frames Options. Which one you use is up to you.

Summary

I hope you found this blog useful, and if you have any questions, please use the form below.

Leave a comment

*
*

Comments

Thanks for this. I colleague noticed that this can also be set in ApplicationStart in Global.asax to globally suppress these headers.

Comment posted by Greg Allan on 11 Jun 2020 14:16

Hi Greg, thanks for the heads-up about the global.asax file


Thanks this helped me fix an issue that had me stumped for hours

Comment posted by Luke Thompson on 02 Dec 2019 14:12

Hi Luke I'm happy to hear this post helped you solve the problem