3

As I have already mentioned in topic, I have a MVC site and I need to disable loading it into IFrame.

I have created simple page for testing purpose and I try to load into two IFrames my site and Google.com. I can see that my site is loaded but Google isn't. It means that it's necessary to change something in my MVC site.

<!DOCTYPE html>
<html>
<body>

<iframe src="http://localhost:61831/" width="1200" height="800">
  <p>Your browser does not support iframes.</p>
</iframe>

<iframe src="http://google.com" width="1200" height="800">
  <p>Your browser does not support iframes.</p>
</iframe>

</body>
</html>

So what and where in MVC site I have to write to achieve that?

Yuriy Rypka
  • 1,937
  • 1
  • 19
  • 23

5 Answers5

6

It is possible to use X-Frame-Options HTTP header attribute to avoid ASP.NET MVC application be opened in IFrame.

There are several different way to insert this attribute to HTTP header:

1.Configure IIS to add this attribute to all HTTP responses

2.Set this attribute in every necessary action method of every controller

    public class HomeController : Controller
    {
        public ActionResult Index()
        {
            Response.AppendHeader("X-Frame-Options", "SAMEORIGIN");
            return View();
        }
    }

3.Create C# attribute in a way described here and apply it to action methods and controllers

    [HttpHeader("X-Frame-Options", "SAMEORIGIN")]
    public class HomeController : Controller
    {
        public ActionResult Index()
        {
        }
    }

4.Set this attribute in Global.asax file

public class MvcApplication : HttpApplication
{
    protected void Application_Start()
    {
        ...
    }

    protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
    {
        Response.AppendHeader("X-Frame-Options", "SAMEORIGIN");
    }
}
Community
  • 1
  • 1
Yuriy Rypka
  • 1,937
  • 1
  • 19
  • 23
5

Simple and quick Solution is to add following in Global.asax - 

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
    Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
}

Then give a try with iframe. Pages will not open in iframes. HTH.

ramiramilu
  • 17,044
  • 6
  • 49
  • 66
  • This is what I need, but there is one little mistake here: should be `Application_PreSendRequestHeaders` instead of `Application_PreSendRequestContent`. – Yuriy Rypka Jan 21 '14 at 16:16
  • I edited the answer. If my answer helped you, please mark it down as helped answer. – ramiramilu Jan 21 '14 at 16:19
5

You can also add an entry in web.config:

<system.webServer>
  ...
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
  ...
</system.webServer>
Echilon
  • 10,064
  • 33
  • 131
  • 217
0

You can configure IIS to always append the X-Frame-Options SAMEORIGIN header in it's responses.

  • From IIS Management Console, select your application.
  • In the main panel, double click Http Response Headers.
  • Click Add from the upper right pane.
  • Set the name to X-Frame-Options and the value to SAMEORIGIN then click OK.

This should prevent your site from being loaded into an iframe on a different host, without using any javascript or any extra code.

See developper.mozilla.org for the header documentation and technet.microsoft.com for IIS' configuration.

Drewman
  • 947
  • 11
  • 23
0

As DrewMan suggested, you want to use X-Frame-Options header.

I would suggest you to download Nuget Package NWebsec and there's MVC specific package. Also check out the configuration part.

Nilesh Thakkar
  • 2,877
  • 1
  • 24
  • 43