I hadn’t previously realised this but MVC adds an X-FRAME-OPTIONS: SAMEORIGIN header to site page responses as part of a security measure to prevent sites running in iframes. These can be removed in ASP.NET 5 applications by modifying the relevant option in Startup.cs.

public void ConfigureServices(IServiceCollection services)
	// Suppres X-FRAME-OPTIONS header to allow loading in iframe
	services.AddAntiforgery(options => {
		options.SuppressXFrameOptionsHeader = true;
	// Add framework services.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *