I wanted to include my latest personal project on a website that has a catalog of samples and was surprised that the browser refused to load the external content on an iFrame because it included an X-FRAME-OPTIONS header set to SAMEORIGIN.
I didn’t do anything to add this header so I figured Azure, IIS or ASP.NET was adding it automatically in an effort to be secure-by-default. I wanted to turn it off.
I found no setting on the Azure WebApp that seemed relevant. Next, on IIS I tried to clear the <customHeaders> section in web.config, but that had no effect. On ASP.NET land I tried to remove the header in Application_EndRequest on Global.asax, but that throws an exception when using OWIN. Finally, I found this hidden setting that does the trick:
System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
I don’t know how anybody is supposed so find these things without Stackoverflow.
Federico
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.