Asp.net MVC5在Html.AntiForgeryToken()中加入了X-Frame-Options输出.用于拒绝页面被iframe嵌入.
若禁用:
protected void Application_Start()
{
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
只能启用禁用,不能设置值,因为源代码中将值写死了,若要控制值需要通过配置文件或自己写代码.
if (!_config.SuppressXFrameOptionsHeader)
{
// Adding X-Frame-Options header to prevent ClickJacking. See
// http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-10
// for more information.
const string FrameHeaderName = "X-Frame-Options";
if (httpContext.Response.Headers[FrameHeaderName] == null)
{
httpContext.Response.AddHeader(FrameHeaderName, "SAMEORIGIN");
}
}