A similar question has been asked here but I'm not sure how to fix this in dot net core.
I have a web application with many views, some of these views are used in another piece of software using iframes.
Some of these views work, but I have added two new ones recently and, for some reason, I couldn't use them in iframes. On closer inspection, I have seen that the two new views are adding X-FRAME-OPTIONS value to be SAMEORIGIN which is stopping them being displayed in iframes.
Two questions:
- What could be the reason only the new views have this new X-FRAME-OPTIONS value of SAMEORIGIN?
- How do I remove these headers from views?
EDIT
I have found that this only happens when the view contains form data which binds to the asp actions.
The following doesn't work and auto adds the X-IFRAME-OPTIONS header:
<form asp-action="myAspAction_1" enctype="multipart/form-data" id="my-form">
<div style="text-align: center; margin: auto;">
<label>Choose file: </label><input asp-for="myAspAction_2" onchange="changeFnc()" style="width: 200px; text-align: center; margin: auto;" />
</div>
<input id="input-box-1" type="submit" value="My value" disabled="true" style="width:200px; margin:20px" />
</form>
If I remove the asp-action and asp-for, it works:
<form enctype="multipart/form-data" id="my-form">
<div style="text-align: center; margin: auto;">
<label>Choose file: </label><input onchange="changeFnc()" style="width: 200px; text-align: center; margin: auto;" />
</div>
<input id="input-box-1" type="submit" value="My value" disabled="true" style="width:200px; margin:20px" />
</form>
CodePudding user response:
In asp.net core you can add the following code to ConfigureServices method in Startup.cs to skip the restrict:
services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);