MVC5 automatically adds the HTTP header X-Frame-Options with SAMEORIGIN. This prevents your site from being loaded into an iframe.

MVC5 自动添加带有SAMEORIGIN. 这可以防止您的网站被加载到iframe.

But we can turn this off in Application_Startin the Global.asax.cs.

但是我们可以Application_Start在Global.asax.cs.

Example

例子

protected void Application_Start()
{
    AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}

Update

更新

I have written a post about this MVC5 prevents your website being loaded in an IFRAME

我写了一篇关于这个MVC5 阻止你的网站被加载到 IFRAME的帖子

Try something like this in Global.asax:

尝试这样的事情Global.asax：

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
   HttpContext.Current.Response.Headers.Remove("X-Frame-Options");
 }

EDIT:

编辑：

Look at answer of Colin Bacon. It is more correct than mine.

看看Colin Bacon 的回答。它比我的更正确。

In short - don't remove this header if you don't want to run your site in IFRAME because it will open forgery vulnerability. But if you still want to remove it - use AntiForgeryConfig.SuppressXFrameOptionsHeader = true;in Application_Start, it is more cleaner way for doing this.

简而言之 - 如果您不想在 IFRAME 中运行您的网站，请不要删除此标头，因为它会打开伪造漏洞。但是，如果您仍然想删除它 - 使用AntiForgeryConfig.SuppressXFrameOptionsHeader = true;in Application_Start，这样做是更干净的方法。

If you want a little more flexibility, here's an ActionAttribute that adds/removes headers based on a whitelist. If the referrer isn't in the whitelist, then the SAMEORIGIN header is left in place. I was going to paste the code, but SO complains about the length.

如果您想要更大的灵活性，这里有一个 ActionAttribute，它根据白名单添加/删除标头。如果引用者不在白名单中，则 SAMEORIGIN 标头保留在原位。我打算粘贴代码，但 SO 抱怨长度。

https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/

https://long2know.com/2016/06/asp-net-anti-forgery-xframe-options/

Here is a replacement Extension method for the HtmlHelperclass. It will first clear allX-Frame-Optionsheaders and then add back a single X-Frame-Optionsheader normally added by the built-in AntiForgeryTokenmethod.

这是HtmlHelper该类的替换扩展方法。它将首先清除所有X-Frame-Options标头，然后添加回X-Frame-Options通常由内置AntiForgeryToken方法添加的单个标头。

This technique respects the SuppressXFrameOptionsHeadersetting, but has the downside of removing allpreviously added X-Frame-Optionsheaders, even those with values other than SAMEORIGIN.

这种技术尊重SuppressXFrameOptionsHeader设置，但有一个缺点是删除所有以前添加的X-Frame-Options标题，即使是那些值不是SAMEORIGIN.

public static MvcHtmlString AntiForgeryTokenSingleHeader(this HtmlHelper html)
{
    string token = AntiForgery.GetHtml().ToString();
    HttpResponseBase httpResponse = html.ViewContext.HttpContext.Response;

    httpResponse.Headers.Remove("X-Frame-Options");
    if (!AntiForgeryConfig.SuppressXFrameOptionsHeader)
    {
        httpResponse.AddHeader("X-Frame-Options", "SAMEORIGIN");
    }
    return new MvcHtmlString(token);
}

Personally, I don't think it's a good idea to disable the X-Frame-Options across the whole site.I've created an ASP.NET MVC filter which removes this header and I simply apply this filter to the portions of the site that are used in iFrames e.g. widgets.

就我个人而言，我认为在整个站点中禁用 X-Frame-Options 不是一个好主意。我创建了一个 ASP.NET MVC 过滤器来删除此标头，我只是将此过滤器应用于站点的某些部分在 iFrame 中使用的，例如小部件。

public class AllowDifferentOrigin : ActionFilterAttribute, IActionFilter
{
    public override void OnResultExecuted(ResultExecutedContext filterContext)
    {
        filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
        base.OnResultExecuted(filterContext);
    }
}