Correcting multiple X-Frame-Options header (#50)

- #7

* According to RFC7034, only these three values, DENY, SAMEORIGIN and ALLOW FROM are valid values and they are mutually exclusive; that is, the header field must be set to exactly ONE of these three values.   This will prevent the CSRF code from inserting it multiple times as well as duplicating it if it was already set elsewhere (e.g. IIS Header)
* Changed var to const string per request.
* Changed const name to avoid SA130 error
* Changing to correct cost naming per standard

Author: chekm8

src/System.Web.WebPages/Helpers/AntiXsrf/AntiForgeryWorker.cs

@@ -104,7 +104,11 @@ public TagBuilder GetFormInputElement(HttpContextBase httpContext)
                 // Adding X-Frame-Options header to prevent ClickJacking. See
                 // http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-10
                 // for more information.
-                httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
+                const string FrameHeaderName = "X-Frame-Options";
+                if (httpContext.Response.Headers[FrameHeaderName] == null)
+                {
+                    httpContext.Response.AddHeader(FrameHeaderName, "SAMEORIGIN");
+                }
             }
 
             // <input type="hidden" name="__AntiForgeryToken" value="..." />
@@ -181,4 +185,4 @@ public void Validate(HttpContextBase httpContext, string cookieToken, string for
             _validator.ValidateTokens(httpContext, ExtractIdentity(httpContext), deserializedCookieToken, deserializedFormToken);
         }
     }
-}
+}