Multiple 'X-Frame-Options' headers with conflicting values

Arachnid picture Arachnid · Mar 4, 2014 · Viewed 39.1k times · Source

Update: This works for IE but Chrome is still throwing this error. I am attempting to i-frame a site I own by another site I own. Here is error message I am getting in the JS console on Chrome:

Multiple 'X-Frame-Options' headers with conflicting values ('AllowAll, SAMEORIGIN, AllowAll') encountered when loading 'http://subdomain.mysite.com:8080/Dir/'. Falling back to 'DENY'.
Refused to display 'http://subdomain.mysite.com:8080/Dir/' in a frame because it set 'X-Frame-Options' to 'AllowAll, SAMEORIGIN, AllowAll'.

I did a search for SAMEORIGIN everywhere I am not setting this ANYWHERE.

The main site is www.mysite.com and the other site is subdomain.mysite.com. Obviously same-origin policies keep me from doing this. So i have set the X-Frame-Options header on my subdomain.mysite.com to "AllowAll". On the begin-request method i have added this:

HttpContext.Current.Response.Headers.Remove("X-Frame-Options");
HttpContext.Current.Response.AddHeader("X-Frame-Options", "AllowAll");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");

on the page level I have added this:

<meta name="x-frame-options" content="allowall" />

In Javascript i have added this:

<script type="text/javascript">
    document.domain = "mysite.com";
</script>

I am running out of things to try... Thank you in advance for your assistance.

Answer

Mike the Tike picture Mike the Tike · Jun 5, 2014

In my case it was the anti-forgery token that was adding the header. Adding this in Application_Start stopped it from adding it:

AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

I then added the X-Frame-Options in the web.config as I needed the whole site to be in an IFrame.