Sunday, December 20, 2015

Remove X-Frame-Options = SAMEORIGIN HTTP header in Sharepoint or allow Sharepoint site to be shown in iframe

By default Sharepoint 2013 adds X-Frame-Options = SAMEORIGIN HTTP header to the response for better security (in order to avoid clickjacking attacks). However because of that Sharepoint site may be shown in iframe only inside the same site, i.e. it is not possible to show it in iframe inside another external site. Sometime this requirement becomes more important and we will need to allow sites to be shown in iframes. In this post I will show how to solve this issue.

We will use URL Rewrite IIS module for changing value of X-Frame-Options HTTP header from SAMEORIGIN to empty string. Although it is not 100% correct behavior because allowed values for the header are: DENY, SAMEORIGIN, ALLOW-FROM (last one doesn’t work in FF and Chrome at the moment of writing this article), i.e. if we don’t need this header we need to remove it completely. However with URL Rewrite it is only possible to change headers, not remove it (I tried to remove it by adding <remove name=”X-Frame-Options” /> to system.webServer > httpProtocol > customHeaders in web.config, but it didn’t help). And with empty value IE, FF and Chrome allow site to be opened in iframe.

First of all we need to install URL Rewrite IIS extension if it is not done yet. After that go to IIS Manager, select appropriate Sharepoint site and click URL Rewrite on the right side. Create new empty outbound rule like it is shown on the following picture:

Note that you need to specify variable name as RESPONSE_X-Frame-Options, not just X-Frame-Options. And you should not add neither RESPONSE_X-Frame-Options nor X-Frame-Options to URL Rewrite > Allowed Server Variables, like it is shown in some articles.

If you will check web.config rule should look like this:

   1: <rewrite>
   2:   <outboundRules>
   3:     <rule name="Rule1" patternSyntax="Wildcard" stopProcessing="false">
   4:       <match serverVariable="RESPONSE_X-Frame-Options" pattern="*" />
   5:       <action type="Rewrite" value="" />
   6:     </rule>
   7:   </outboundRules>
   8: </rewrite>

Now if you will check response from your Sharepoint site in Fiddler you will see that X-Frame-Options header is empty:

After that it will be possible to show your site in iframe. Hope it will help someone, but anyway don’t forget about security.

2 comments:

  1. Hi,
    Thanks for this post. I know it's one year old but it really helped me with an issue I had with displaying cognos content in an iframe. Thanks also to http://queryvision.com/kb/ibm-cognos-analytics-11-0-4-solution-reports-blocked-iframes/ for putting the link to your blog.
    Thanks and keep it up

    ReplyDelete