aspnet · dougbu · Sep 21, 2017 · Jun 19, 2017 · Sep 21, 2017 · Sep 21, 2017
diff --git a/src/System.Web.WebPages/Helpers/AntiXsrf/AntiForgeryWorker.cs b/src/System.Web.WebPages/Helpers/AntiXsrf/AntiForgeryWorker.cs
@@ -104,7 +104,11 @@ public TagBuilder GetFormInputElement(HttpContextBase httpContext)
                 // Adding X-Frame-Options header to prevent ClickJacking. See
                 // http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-10
                 // for more information.
-                httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
+                const string FrameHeaderName = "X-Frame-Options";
+                if (httpContext.Response.Headers[FrameHeaderName] == null)
+                {
+                    httpContext.Response.AddHeader(FrameHeaderName, "SAMEORIGIN");
+                }
             }
 
             // <input type="hidden" name="__AntiForgeryToken" value="..." />
@@ -181,4 +185,4 @@ public void Validate(HttpContextBase httpContext, string cookieToken, string for
             _validator.ValidateTokens(httpContext, ExtractIdentity(httpContext), deserializedCookieToken, deserializedFormToken);
         }
     }
-}
+}