aspnet · dougbu · Sep 21, 2017 · Jun 19, 2017 · Sep 21, 2017 · Sep 21, 2017
diff --git a/src/System.Web.WebPages/Helpers/AntiXsrf/AntiForgeryWorker.cs b/src/System.Web.WebPages/Helpers/AntiXsrf/AntiForgeryWorker.cs
@@ -104,7 +104,11 @@ public TagBuilder GetFormInputElement(HttpContextBase httpContext)
                 // Adding X-Frame-Options header to prevent ClickJacking. See
                 // http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-10
                 // for more information.
-                httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
+                const string xFrameHeaderName = "X-Frame-Options";
+                if (httpContext.Response.Headers[xFrameHeaderName] == null)
+                {
+                    httpContext.Response.AddHeader(xFrameHeaderName, "SAMEORIGIN");
+                }
             }
 
             // <input type="hidden" name="__AntiForgeryToken" value="..." />