Sunday, December 20, 2015

Remove X-Frame-Options = SAMEORIGIN HTTP header in Sharepoint or allow Sharepoint site to be shown in iframe

By default Sharepoint 2013 adds X-Frame-Options = SAMEORIGIN HTTP header to the response for better security (in order to avoid clickjacking attacks). However because of that Sharepoint site may be shown in iframe only inside the same site, i.e. it is not possible to show it in iframe inside another external site. Sometime this requirement becomes more important and we will need to allow sites to be shown in iframes. In this post I will show how to solve this issue.

We will use URL Rewrite IIS module for changing value of X-Frame-Options HTTP header from SAMEORIGIN to empty string. Although it is not 100% correct behavior because allowed values for the header are: DENY, SAMEORIGIN, ALLOW-FROM (last one doesn’t work in FF and Chrome at the moment of writing this article), i.e. if we don’t need this header we need to remove it completely. However with URL Rewrite it is only possible to change headers, not remove it (I tried to remove it by adding <remove name=”X-Frame-Options” /> to system.webServer > httpProtocol > customHeaders in web.config, but it didn’t help). And with empty value IE, FF and Chrome allow site to be opened in iframe.

First of all we need to install URL Rewrite IIS extension if it is not done yet. After that go to IIS Manager, select appropriate Sharepoint site and click URL Rewrite on the right side. Create new empty outbound rule like it is shown on the following picture:

Note that you need to specify variable name as RESPONSE_X-Frame-Options, not just X-Frame-Options. And you should not add neither RESPONSE_X-Frame-Options nor X-Frame-Options to URL Rewrite > Allowed Server Variables, like it is shown in some articles.

If you will check web.config rule should look like this:

   1: <rewrite>
   2:   <outboundRules>
   3:     <rule name="Rule1" patternSyntax="Wildcard" stopProcessing="false">
   4:       <match serverVariable="RESPONSE_X-Frame-Options" pattern="*" />
   5:       <action type="Rewrite" value="" />
   6:     </rule>
   7:   </outboundRules>
   8: </rewrite>

Now if you will check response from your Sharepoint site in Fiddler you will see that X-Frame-Options header is empty:

After that it will be possible to show your site in iframe. Hope it will help someone, but anyway don’t forget about security.

Monday, December 14, 2015

Send email to external users in Sharepoint 2013 workflow

As you probably know Sharepoint 2013 supports 2 workflow platforms:

  • Workflows 2010
  • Workflows 2013

Using of workflows 2013 in Sharepoint 2013 requires installation and configuration of Workflow manager – there are many guides available in internet at the moment so I won’t add it there. It gives us many new useful features like loops. Unfortunately there are also some limitation comparing with 2010 workflows. For example it is not so simple now to sent emails to external users. In 2013 workflow when you add action Send email you should specify valid (resolvable) Sharepoint user with non-empty email, not email itself. It was done for security purposes. Because of this you can’t anymore send email to external users as simple as it was in workflows 2010 where you could just specify user’s email in To field.

In order to avoid this issue we used Plumsail’s Workflow Actions Pack. Please note that it is commercial product, prices are available on their web site. It also has trial 30-days version when you may try this product. Documentation available on Plumsail doesn’t provide all necessary information which is needed for making actions pack work, so I will describe several additional steps.

When you will install the package there will be number of new actions available in Sharepoint Designer 2013. One of them is “Send email with attachments (SMTP)” (there is also possibility to send email via Exchange, but I didn’t try it). In this action together with email settings (recipient, subject, body) you need to specify SMTP host, port, ssl usage. Note that you may only use those SMTP servers which work with authenticated users. And you need to specify credentials in Email and Password fields of the workflow action together with other SMTP parameters (initially Plumsail documentation mentioned that these parameters belong to Exchange user, but at the moment of writing of this post it was already fixed – good work from their support. Also in Email field it is not necessary to specify real email. Some SMTP servers authenticate users with separate user id, which is not email). If you will leave these fields empty you will get the following exception;

Global Exception LoggerException: System.NullReferenceException: Object reference not set to an instance of an object.    
at Plumsail.WFServices.Common.SmtpEmailRepository.I1e(String  )    
at Plumsail.WFServices.Common.SmtpEmailRepository.SendEmail(Email email)    
at Plumsail.WFServices.Services.ExchangeController.SendEmail(EmailSendRequest request)    
at SyncInvokeSendEmail(Object , Object[] , Object[] )    
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)    
at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)    
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)    
at System.ServiceModel..Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)    
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

This is one of limitations, because you can’t use your internal company SMTP server which is available only internally and doesn’t require authentication.

If you specified all SMTP settings with Email and Password you may also get the following error:

Exception: Could not load file or assembly 'Microsoft.Exchange.WebServices, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

In order to fix it you need to install MS Exchange web services API, which is available here. It may also confuse a bit, because Exchange API is needed in scenarios when you use SMTP. However after installation, it should successfully send emails to external users.

Tuesday, December 8, 2015

Speaking with lecture “Using .Net expression trees for creating translators on C#” in Computer Science Center in St-Petersburg

Yesterday I presented open lecture “Using .Net expression trees for creating translators on C#” in Computer Science Center in St-Petersburg: Computer Science Center – is initiative of leading IT companies in St-Petersburg which is intended to prepare students to work in IT industry by providing advanced education in computer science (programming languages, algorithms, etc.). It was interesting format and interesting experiences, thanks to all participants. Presentation from the lecture is available on SlideShare:

Tuesday, December 1, 2015

Copy taxonomy field values using javascript object model in Sharepoint

Suppose that we have file in source list and we need to copy this file with metadata to target list. Source and target lists may be located on different site collections. In this post I will show how to copy metadata form source file to target using javascript object model. This approach may be useful when you need to perform similar task in Sharepoint Online.

Let’s assume that we need to copy 3 taxonomy fields: Region, Country and Language. It can be done using the following code:

   1: var ctx = ...
   2: var sourceItems = ...
   3: var targetList = ...
   4: var targetItem = ...
   6: var enumerator = sourceItems.getEnumerator();
   7: enumerator.moveNext();
   8: var sourceItem = enumerator.get_current();
  10: var fieldRegion = targetList.get_fields().getByInternalNameOrTitle("Region");
  11: var fieldRegionTax = ctx.castTo(fieldRegion, SP.Taxonomy.TaxonomyField);
  12: ctx.load(fieldRegionTax);
  14: var fieldCountry = targetList.get_fields().getByInternalNameOrTitle("Country");
  15: var fieldCountryTax = ctx.castTo(fieldCountry, SP.Taxonomy.TaxonomyField);
  16: ctx.load(fieldCountryTax);
  18: var fieldLanguage = targetList.get_fields().getByInternalNameOrTitle("Language");
  19: var fieldLanguageTax = ctx.castTo(fieldLanguage, SP.Taxonomy.TaxonomyField);
  20: ctx.load(fieldLanguageTax);
  22: ctx.executeQueryAsync(
  23:     Function.createDelegate(this, function (sender, args) {
  24:         getTaxonomyFieldsSuccess(ctx, sourceItem, targetItem, fieldRegionTax,
  25:     fieldCountryTax, fieldLanguageTax); }),
  26:     Function.createDelegate(this, function (sender, args) {
  27:         console.log("Load taxonomy fields failed: " + args.get_message() + "\n" +
  28:             args.get_stackTrace()); }));
  30: function getTaxonomyFieldsSuccess(ctx, sourceItem, targetItem,
  31:     fieldRegionTax, fieldCountryTax, fieldLanguageTax) {
  32:     if (sourceItem.get_item("Region") != null) {
  33:         var targetValue = new SP.Taxonomy.TaxonomyFieldValue();
  34:         targetValue.set_label(sourceItem.get_item("Region").get_label());
  35:         targetValue.set_termGuid(sourceItem.get_item("Region").get_termGuid());
  36:         targetValue.set_wssId(sourceItem.get_item("Region").get_wssId());
  37:         fieldRegionTax.setFieldValueByValue(targetItem, targetValue);
  38:     }
  40:     if (sourceItem.get_item("Country") != null) {
  41:         var targetValue = new SP.Taxonomy.TaxonomyFieldValue();
  42:         targetValue.set_label(sourceItem.get_item("Country").get_label());
  43:         targetValue.set_termGuid(sourceItem.get_item("Country").get_termGuid());
  44:         targetValue.set_wssId(sourceItem.get_item("Country").get_wssId());
  45:         fieldCountryTax.setFieldValueByValue(targetItem, targetValue);
  46:     }
  48:     if (sourceItem.get_item("Language") != null) {
  49:         var targetValue = new SP.Taxonomy.TaxonomyFieldValue();
  50:         targetValue.set_label(sourceItem.get_item("Language").get_label());
  51:         targetValue.set_termGuid(sourceItem.get_item("Language").get_termGuid());
  52:         targetValue.set_wssId(sourceItem.get_item("Language").get_wssId());
  53:         fieldLanguageTax.setFieldValueByValue(targetItem, targetValue);
  54:     }
  56:     targetItem.update();
  57:     ctx.executeQueryAsync(
  58:         Function.createDelegate(this, function (sender, args) {
  59:             console.log("Metadata is copied successfully");
  60:         }),
  61:         Function.createDelegate(this, function (sender, args) {
  62:             console.log("Copying metadata failed: " + args.get_message() + "\n" +
  63:                 args.get_stackTrace());
  64:         }));
  65: }

At first we load taxonomy fields from the target list (lines 10-21). Then having these fields set their value using label, term guid and wssId properties of the source field value (lines 32-54).