IFrame embeding browser permissions

by default asp.net is setting x-frame-options: SAMEORIGIN which doesnt allow anywebsite to embed your IFRAME to disable that you need to

  System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

But the make sure to have this value to same origin in web.config

<add name="X-Frame-Options" value="SAMEORIGIN" />

The X-Frame-Options header may contain one of three tokens:

DENY

SAMEORIGIN

ALLOW-FROM origin 

read more: https://bit.ly/2pGxI1n

you can allow a website by

X-Frame-Options: ALLOW-FROM https://yourwebsite.com

but new browser are also taking look at this value on header: 

Content-Security-Policy: frame-ancestors 'self' https://yourwebsite.com

more about it

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

https://www.keycdn.com/blog/http-security-headers/

https://content-security-policy.com/