19 November 2014

X-Frame-Options & SAMEORIGIN

Refused to display 'http://extremedev.example.com' in a frame because it is set 'X-Frame-Options' to 'SAMEORIGIN'

This is an error that can appear when you want to display a site through an iframe of another site. It will not allow for the site within the iframe to be displayed.

So what to do in this case?

There are several articles on the internet that are suggesting that you need to add some headers that will allow the display of the site through the iframe from different domains. For example: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

Well but not in all cases.
I also had this problem and the we tried everything but nothing helped. Then we found out that we are using @Html.AntiForgeryToken()  in our code.

Well with ASP.NET MVC 4 there is no problem with that but in the newer version: ASP.NET MVC 5.

ASP.NET MVC 5 in combination with @Html.AntiForgeryToken() your Razor will automatically add the X-Frame-Options HTTP Header with the SAMEORIGIN value.

They are doing that specially so no one will be able to put your site as an iframe.

THE FIX FOR THIS  all you need is to add the following code in the Global.asax.cs Application_Start() method the following code:

AntiForgeryConfig.SuppressXFrameOptionsHeader = true;


diabser said...

Good article.

123 123 said...

helpful,thank you

Buy Contact Lenses Online said...

Hey keep posting such good and meaningful articles.

Post a Comment

your thoughts are welcome:

Need more? Leave comments and subscribe to my blog.