From fd81151d31098b8c21a29d241a16e9e3128a4699 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Mon, 18 Apr 2016 11:29:42 -0700
Subject: [PATCH] Preserve X-Frame-Options if it was already set

---
 .../Internal/DefaultAntiforgery.cs            |  2 +-
 .../Internal/DefaultAntiforgeryTest.cs        | 25 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgery.cs b/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgery.cs
index 9227bd6b78..44310c5187 100644
--- a/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgery.cs
+++ b/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgery.cs
@@ -248,7 +248,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
                 _tokenStore.SaveCookieToken(httpContext, cookieToken);
             }
 
-            if (!_options.SuppressXFrameOptionsHeader)
+            if (!_options.SuppressXFrameOptionsHeader && !httpContext.Response.Headers.ContainsKey("X-Frame-Options"))
             {
                 // Adding X-Frame-Options header to prevent ClickJacking. See
                 // http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-10
diff --git a/test/Microsoft.AspNetCore.Antiforgery.Test/Internal/DefaultAntiforgeryTest.cs b/test/Microsoft.AspNetCore.Antiforgery.Test/Internal/DefaultAntiforgeryTest.cs
index 45bd0236ba..335f2c91a2 100644
--- a/test/Microsoft.AspNetCore.Antiforgery.Test/Internal/DefaultAntiforgeryTest.cs
+++ b/test/Microsoft.AspNetCore.Antiforgery.Test/Internal/DefaultAntiforgeryTest.cs
@@ -783,6 +783,31 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
                 Times.Never);
         }
 
+        [Fact]
+        public void SetCookieTokenAndHeader_PreserveXFrameOptionsHeader()
+        {
+            // Arrange
+            var options = new AntiforgeryOptions();
+            var antiforgeryFeature = new AntiforgeryFeature();
+            var expectedHeaderValue = "DIFFERENTORIGIN";
+
+            // Generate a new cookie.
+            var context = CreateMockContext(
+                options,
+                useOldCookie: false,
+                isOldCookieValid: false,
+                antiforgeryFeature: antiforgeryFeature);
+            var antiforgery = GetAntiforgery(context);
+            context.HttpContext.Response.Headers["X-Frame-Options"] = expectedHeaderValue;
+
+            // Act
+            antiforgery.SetCookieTokenAndHeader(context.HttpContext);
+
+            // Assert
+            var xFrameOptions = context.HttpContext.Response.Headers["X-Frame-Options"];
+            Assert.Equal(expectedHeaderValue, xFrameOptions);
+        }
+
         [Theory]
         [InlineData(false, "SAMEORIGIN")]
         [InlineData(true, null)]