Multiple 'X-Frame-Options' headers with conflicting values

StackOverflow https://stackoverflow.com/questions/22182310

Question

Update: This works for IE but Chrome is still throwing this error. I am attempting to i-frame a site I own by another site I own. Here is error message I am getting in the JS console on Chrome:

Multiple 'X-Frame-Options' headers with conflicting values ('AllowAll, SAMEORIGIN, AllowAll') encountered when loading 'http://subdomain.mysite.com:8080/Dir/'. Falling back to 'DENY'.
Refused to display 'http://subdomain.mysite.com:8080/Dir/' in a frame because it set 'X-Frame-Options' to 'AllowAll, SAMEORIGIN, AllowAll'.

I did a search for SAMEORIGIN everywhere I am not setting this ANYWHERE.

The main site is www.mysite.com and the other site is subdomain.mysite.com. Obviously same-origin policies keep me from doing this. So i have set the X-Frame-Options header on my subdomain.mysite.com to "AllowAll". On the begin-request method i have added this:

HttpContext.Current.Response.Headers.Remove("X-Frame-Options");
HttpContext.Current.Response.AddHeader("X-Frame-Options", "AllowAll");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");

on the page level I have added this:

<meta name="x-frame-options" content="allowall" />

In Javascript i have added this: 

<script type="text/javascript">
    document.domain = "mysite.com";
</script>

I am running out of things to try... Thank you in advance for your assistance.

Was it helpful?

Solution 2

Turns out MVC4 adds the header by itself (unsolicited). The only way to get around this was to explicitly remove the header.

Response.Headers.Remove("X-Frame-Options");

There may be a way to convince MVC4 not to do this but it did not service in my scores of Google queries.

OTHER TIPS

In my case it was the anti-forgery token that was adding the header. Adding this in Application_Start stopped it from adding it:

AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

I then added the X-Frame-Options in the web.config as I needed the whole site to be in an IFrame.

Some further detail to to Mike the Tike's answer, this is added to the application_start method in global.asax.cs, where you'll need the using directive system.web.helpers

IIS might be adding a second header after yours (you can see this by pressing F12 for Developer Tools in Chrome, attempt to load the page, then click Network, and right-click on the failed page to copy the response headers to have a look).

To stop IIS from adding the header:

  • Run IIS Manager
  • Select your website
  • Double click the HTTP Response Headers for the application (or on older IIS, right click on the website, click Properties, then HTTP Headers)
  • Then you can override or remove the extra header
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top