13

Update: This works for IE but Chrome is still throwing this error. I am attempting to i-frame a site I own by another site I own. Here is error message I am getting in the JS console on Chrome:

Multiple 'X-Frame-Options' headers with conflicting values ('AllowAll, SAMEORIGIN, AllowAll') encountered when loading 'http://subdomain.mysite.com:8080/Dir/'. Falling back to 'DENY'.
Refused to display 'http://subdomain.mysite.com:8080/Dir/' in a frame because it set 'X-Frame-Options' to 'AllowAll, SAMEORIGIN, AllowAll'.

I did a search for SAMEORIGIN everywhere I am not setting this ANYWHERE.

The main site is www.mysite.com and the other site is subdomain.mysite.com. Obviously same-origin policies keep me from doing this. So i have set the X-Frame-Options header on my subdomain.mysite.com to "AllowAll". On the begin-request method i have added this:

HttpContext.Current.Response.Headers.Remove("X-Frame-Options");
HttpContext.Current.Response.AddHeader("X-Frame-Options", "AllowAll");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");

on the page level I have added this:

<meta name="x-frame-options" content="allowall" />

In Javascript i have added this: 

<script type="text/javascript">
    document.domain = "mysite.com";
</script>

I am running out of things to try... Thank you in advance for your assistance.

Arachnid
  • 280
  • 1
  • 3
  • 12

4 Answers4

22

In my case it was the anti-forgery token that was adding the header. Adding this in Application_Start stopped it from adding it:

AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

I then added the X-Frame-Options in the web.config as I needed the whole site to be in an IFrame.

Mike the Tike
  • 1,136
  • 8
  • 9
  • Yep, me too...+1 for the time-savings – JasonInVegas Jul 06 '17 at 18:03
  • @MiketheTike I have a similar [question](https://stackoverflow.com/questions/53255468/how-to-solve-blocked-a-frame-with-origin-from-accessing-a-cross-origin-frame-err). I am wondering if you can have a look. – john Nov 18 '18 at 23:10
2

Turns out MVC4 adds the header by itself (unsolicited). The only way to get around this was to explicitly remove the header.

Response.Headers.Remove("X-Frame-Options");

There may be a way to convince MVC4 not to do this but it did not service in my scores of Google queries.

Arachnid
  • 280
  • 1
  • 3
  • 12
  • I have a similar [question](https://stackoverflow.com/questions/53255468/how-to-solve-blocked-a-frame-with-origin-from-accessing-a-cross-origin-frame-err). I am wondering if you can have a look. – john Nov 18 '18 at 23:12
1

Some further detail to to Mike the Tike's answer, this is added to the application_start method in global.asax.cs, where you'll need the using directive system.web.helpers

Phil Kermeen
  • 139
  • 1
  • 4
0

IIS might be adding a second header after yours (you can see this by pressing F12 for Developer Tools in Chrome, attempt to load the page, then click Network, and right-click on the failed page to copy the response headers to have a look).

To stop IIS from adding the header:

  • Run IIS Manager
  • Select your website
  • Double click the HTTP Response Headers for the application (or on older IIS, right click on the website, click Properties, then HTTP Headers)
  • Then you can override or remove the extra header
cometfish
  • 523
  • 2
  • 6
  • 15