Posted on 5:21 AM by Softminer and filed under

by default asp.net is setting x-frame-options: SAMEORIGIN which doesnt allow anywebsite to embed your IFRAME to disable that you need to

  System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

But the make sure to have this value to same origin in web.config

<add name="X-Frame-Options" value="SAMEORIGIN" />

The X-Frame-Options header may contain one of three tokens:

ALLOW-FROM origin 

you can allow a website by

X-Frame-Options: ALLOW-FROM https://yourwebsite.com

but new browser are also taking look at this value on header: 

Content-Security-Policy: frame-ancestors 'self' https://yourwebsite.com

more about it