How to suppress X-Frame-Options SAMEORIGIN response header?

Question

I am trying to remove X-Frame-Options SAMEORIGIN header or set it to ALLOWALL.

I have set it in my web.config and the same in my IIS's Http Response Headers for the site, yet still I am getting X-Frame-Options SAMEORIGIN in my browser and iframe content does not render.

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
    <add name="Cache-Control" value="public" />
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="X-Frame-Options" value="ALLOWALL" />
  </customHeaders>
</httpProtocol>

It's the same in Firefox and Chrome.

Is there anywhere else I should look for it or can modify it?

Answer 1

Go to Application_Start() in Global.asax.cs and add this line

System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

Be aware though that this means anyone can use your application in an iframe. So it'll be worth adding a new file with this code:

using System.Web.Mvc;

namespace MyApplication
{
    public class NoIframeAttribute : ActionFilterAttribute
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            filterContext.HttpContext.Response.Headers.Set("X-Frame-Options", "SAMEORIGIN");
        }
    }
}

Add the following line to RegisterGlobalFilters method in FilterConfig.cs:

filters.Add(new NoIframeAttribute());

Now it is safely back into your application, you can remove the xframeoptions wherever you need to in your application with

Response.Headers.Remove("X-Frame-Options");