Showing posts with label iframe; X-Frame-Options. Show all posts
Showing posts with label iframe; X-Frame-Options. Show all posts

Saturday 25 March 2017

Displaying SharePoint site pages in an iFrame

Posts on the iFraming issue Series:
IE11 not saving field data iframe Issue
Term Store/MMS musing when using iFrames (WebTaggingDialog)
Displaying SharEPoinnt Site Pages in iFrames (this post)

Problem:  I need to display a SharePoint 2013 document library within an iFrame of another SharePoint 2016 site.  SharePoint by default does not allow iFrame itself.

Hypothesis: IE and the other browser respect different rules for allowing iframing.  The iFraming rules are dictated by http headers output from SharePoint.  SP 2010 and MOSS did not have iFraming restrictions.  Furthermore, chrome and safari do not follow the X-Frame-Options http output but use CSP to control ancestor framing.

Resolution:
1.> Remove the SharePoint generated X-Frame-Options header generated by SharePoint - step 2 below.
2.> Add the custom X-Frame-Options http header to allow a specific domain to iframe the site (keep the attack surface as small as possible) - step 1 below.

3.> Add the Content-Secuirty-Policy frame-ancestors entry to ensure Chrome and the other browsers will allow framing as shown below.

Posts on the iFraming issue Series:
IE11 not saving field data iframe Issue
Term Store/MMS musing when using iFrames (WebTaggingDialog)
Displaying SharEPoinnt Site Pages in iFrames (this post)