Geek Answers Handbook

Multiple X-Frame-Options Headers with Inconsistent Values

Update: this works for IE, but Chrome still throws this error. I am trying to create my own site that I own another site that I own. Here is the error message I get in the JS console in Chrome:

Multiple 'X-Frame-Options' headers with conflicting values ('AllowAll, SAMEORIGIN, AllowAll') encountered when loading 'http://subdomain.mysite.com:8080/Dir/'. Falling back to 'DENY'. Refused to display 'http://subdomain.mysite.com:8080/Dir/' in a frame because it set 'X-Frame-Options' to 'AllowAll, SAMEORIGIN, AllowAll'.

I searched for SAMEORIGIN wherever I install this ANYWHERE.

The main site is www.mysite.com and the other site is subdomain.mysite.com. Obviously, a policy of the same origin does not allow me to do this. So I set the X-Frame-Options header on my subdomain.mysite.com to "AllowAll". In the begin-request method, I added the following:

 HttpContext.Current.Response.Headers.Remove("X-Frame-Options"); HttpContext.Current.Response.AddHeader("X-Frame-Options", "AllowAll"); HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");

page level I added the following:

 <meta name="x-frame-options" content="allowall" />

In Javascript, I added:

 <script type="text/javascript"> document.domain = "mysite.com"; </script>

I'm ending my attempts to try ... Thanks for your help.

+6
source share
4 answers

Turns off MVC4 adds a header on its own (unsolicited). The only way around this is to explicitly remove the header.

 Response.Headers.Remove("X-Frame-Options");

There may be a way to convince MVC4 not to do this, but it did not serve my dozens of Google requests.

+1
source

In my case, it was an anti-fake token that added a header. Adding this to Application_Start prevented him from adding it:

 AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

Then I added X-Frame-Options in the web.config file , since I need the whole site for the IFrame.

+20
source

Some additional details for Mike Tyke's answer, this is added to the application_start method in the global.asax.cs file, where you need the directive using system.web.helpers

+1
source

IIS can add a second header after you (you can see this by pressing F12 for the developer tools in Chrome, try to load the page, then click "Network" and right-click on the error page to copy the response headers for a look).

To stop IIS from adding a header:

  • Launch IIS Manager
  • Choose your site
  • Double-click the HTTP response headers for the application (or on earlier IIS, right-click on the website, select "Properties", then "HTTP Headers").
  • You can then override or delete the optional header.
0
source

More articles:


All Articles