删除仅在登录页面中自动添加的X-Frame-Options [英] Removing X-Frame-Options being added automatically only in Login page

问题描述

我正在开发一个ASP.NET MVC应用程序，该应用程序需要加载到另一个网站的iframe内部.但是登录页面将不会出现在iframe中，因为正在响应X-Frame-Options中发送了标头，该响应已设置为SAMEORIGIN.因此，浏览器未在iframe中显示页面.我已经用Google搜索并尝试了多种方法，但没有任何效果.

I am developing an ASP.NET MVC application which needs to be loaded inside an iframe in another website. But the login page just won't appear inside the iframe because an Header is being sent in the response X-Frame-Options which is set to SAMEORIGIN. Browser is not displaying the page in iframe because of this. I already Googled and tried multiple things but nothing worked.

我正在使用ASP.NET表单身份验证.在这种情况下，IIS可能会在登录页面中添加此标头以增强安全性.但是在我的用例中，我需要摆脱它.

I am using ASP.NET forms authentication. May be in this case IIS adds this header in login page for added security. But I need to get rid of this in my use case.

我尝试添加自定义标头

<httpProtocol>
  <customHeaders>
    <add name="X-Frame-Options" value="ALLOW" />
  </customHeaders>
</httpProtocol>

但是SAMEORGIN仍用逗号添加在标头中.

But the SAMEORGIN is still being added in the header with comma.

我还尝试使用Response.Headers["X-Frame-Options"] = "ALLOW"从C#添加标头值.这会导致两个具有相同名称的标头.

I also tried adding Header value from C# using Response.Headers["X-Frame-Options"] = "ALLOW". It cause two headers with the same name.

我也在web.config中尝试过

I also tried this in web.config

<customHeaders>
    <remove name="X-Frame-Options" />
</customHeaders>

它也不起作用.

推荐答案

MVC 5自动添加X-Frame-Options标头，因此转到您的Global.asax文件并将其添加到Application_Start()方法:

MVC 5 automatically adds an X-Frame-Options Header, so go to your Global.asax file and add this to the Application_Start() method:

System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

请注意，尤其对于登录页面而言，删除此标头是一种不好的做法，因为它会使您的网站遭受登录凭据网络钓鱼攻击.因此，如果您的网站可以公开访问，我强烈建议您保留此标头.

Please note that especially for a login page it is bad practice to remove this header, because it opens up your site for login credentials phishing attacks. So if this site of yours is publicly accessable I strongly recommend to keep this header.

这篇关于删除仅在登录页面中自动添加的X-Frame-Options的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！