Supporting HTML frames in ASP.NET MVC applications when using the AntiForgeryToken helper

Posted: 8.3.2015 6.54.00 (EET/GMT+2)

If you have an ASP.NET MVC 5 application that you are trying to display inside a HTML frame and you are using the AntiForgeryToken HTML helper in your views, you might end up in a situation where Internet Explorer (IE) displays the following error message:

This content cannot be displayed in a frame
To help protect the security of information you enter into this website, the
publisher of this content does not allow it to be displayed in a frame.

Other browsers might display only a blank page, that is, no content inside the frame, even though everything works just fine when you directly access the page or view without it being embedded into a frame (such as the IFRAME tag).

The reason for this error and the blank page is security. To prevent what is called clickjacking, browsers refuse to display external content inside frames, unless they come from the same server. There's an HTTP header names X-Frame-Options, which controls this, and is specified in RFC 7034.

The "X-Frame-Options: DENY" HTTP header option is automatically sent when you use the AntiForgeryToken HTML helper in a view page. To disable this header and enable support for frames, you can set an option for instance in your Global.asax.cs file in the Application_Start method like this:

/* Enable support for HTML frames by supressing the X-Frame-Options
 * HTTP header generated by the AntiForgeryToken HTML helper. */
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

The configuration is done through the AntiForgeryConfig class, which is part of the System.Web.Helpers namespace.

Remember, that you can also control HTTP headers from within web.config using the "customHeaders" element inside the "httpProtocol" tag, like this:

<httpProtocol>
  <customHeaders>
    <add name="X-Frame-Options" value="ALLOW-FROM http://192.168.1.123/" />
  </customHeaders>
</httpProtocol>

Hope this helps!

Keywords: ASP.NET MVC view does not display inside frame; IE, Firefox, Chrome error empty page shown