stackoom
  简体   繁体   中英

X-Frame-Options bug in ASP.NET MVC (.NET 4.5.1)

 原文  2015-09-08 13:49:37       c#/ asp.net/ asp.net-mvc/ asp.net-mvc-4

Question

Does anyone know why the response returned by an ASP.NET MVC controller contains the X-FRAME-OPTIONS: SAMEORIGIN header so many times? I think this might be a bug in the framework (using version 4.5.1).

It seems as though the header is added once for each form on the page. My work around is to disable the header in MVC and add it in the web.config file instead, like this:

Global.asax.cs: 

protected void Application_Start()
{
    System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}

Web.config: 

<system.webServer>
  <httpProtocol>
      <customHeaders>
        <add name="X-Frame-Options" value="SAMEORIGIN" />
      </customHeaders>
  </httpProtocol>
</system.webServer>

1 answers

solution1
 2  2017-06-26 20:07:42

The header is added each time you call @Html.AntiForgeryToken(). Which means if you have multiple forms on your pages and each form includes that call, you'll get duplicate headers.

A comment to the question references this blog: http://daveonsoftware.blogspot.ru/2015_03_01_archive.html . I think that's a good explanation of the problem. In my application, I picked option #3.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ASP.Net Core: X-Frame-Options strange behavior ASP.NET MVC 5 not sending X-Frame-Options header by default How can i enable X Frame options in asp.net ASP.Net MVC Creating a register bug ASP.NET MVC 3 RC2 bug? ASP.NET MVC 5 Filter Overrides Bug ASP.NET MVC html writer bug? Adding X-Frame-Options header to all pages in MVC 4 application Set ASP.NET Identity ConnectionString property in .NET 4.5.1 ASP.NET MVC 5 on Mac OS X
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM