14

I updated my project MVC version to 5 and now iFrame does not load, I get this error:

Load denied by X-Frame-Options: www.blahblah.com does not permit cross-origin framing.

I noticed that for some reason now the X-Frame-Options header has SAMEORIGIN filled which does not allow the iframe to load a page from a different domain. This is a problem for me as I develop both the containing and inheriting page. I tried everything in IIS to change this header to no avail.

Anyone encountered this yet?

Lucas
  • 17,277
  • 5
  • 45
  • 40
RealityDysfunction
  • 2,609
  • 3
  • 26
  • 53
  • The question was just [asked again](http://stackoverflow.com/questions/20254303/mvc-5-prevents-access-to-content-via-iframe), so you may want to keep an eye on that one as well. – Joe Enos Nov 27 '13 at 22:32
  • Possible duplicate of [MVC 5 prevents access to content via Iframe](https://stackoverflow.com/questions/20254303/mvc-5-prevents-access-to-content-via-iframe) – Caique Romero Jul 03 '18 at 18:41

2 Answers2

24

I finally found the answer. Starting with MVC 5 Microsoft decided to set SAMEORIGIN in there by default. The best way I found to turn this tag off is by writing the following in the Global.asax.cs

protected void Application_Start()
{
//Bundles and stuff are here
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
Ryan Conrad
  • 6,870
  • 2
  • 36
  • 36
RealityDysfunction
  • 2,609
  • 3
  • 26
  • 53
0

Assuming your IFrame content is being served by your MVC app...

You might need to include a response header that permits cross origin requests:

Access-Control-Allow-Origin: *

Nick
  • 6,366
  • 5
  • 43
  • 62
  • 1
    I've tried adding various headers, the application slaps on SAMEORIGIN no matter what I do, and if the browser detects more than one header it errors out and slaps on DENY. – RealityDysfunction Nov 27 '13 at 22:11