Recently a colleague wanted to display a with Excel Services rendered workbook inside a cross-domain iframe:
- Excel Services: http://intranet/_layouts/xlviewer.aspx?id=%2FShared%20Documents%2FBook1%2Exlsx&DefaultItemOpen=1
- Other domain web site with iframe: http://lux
But because Excel Services and Office Web Apps render a HTTP response header X-FRAME-OPTIONS: SAMEORIGIN this won’t work and you get “This content cannot be displayed in a frame”
Not used to seeing such a straight-forward error :)
I did a bit of investigating but couldn’t find an easy way to configure this through UI or Powershell, so I was left with the following options:
- Strip the header in a reverse proxy (between client and SharePoint server) like Apache or ForeFront
- Remove the header with development of a HttpModule
PermissiveXFrameHeader
I wrote up a quick HttpModule that can be activated by Web Application Feature and will remove the X-FRAME-OPTIONS header no questions asked.
You might want to adapt the code for additional checks on referrer, querystring, client, or similar for conditional removal of the header (see final note below).
Installation and activation
Download from here (Ventigrate Codeplex Repository)
Deploy the WSP (farm solution) to the SharePoint Farm
STSADM -o addsolution -filename Ventigrate.Shared.PermissiveXFrameHeader.wsp
STSADM -o deploysolution -name Ventigrate.Shared.PermissiveXFrameHeader.wsp -allowgacdeployment -immediate
Activate the Web Application Feature to the Web Application referred to in the iframe
Final note
The header was designed to protect against clickjacking. If you intend to use the above solution keep this in mind and plan for it accordingly.