3

I'm trying to display an Excel document from SharePoint2010 Excel Services in an iframe. But I'm getting an error due to the x-frame-options header. I have access to the to SharePoint server and all online searches tell me to go to IIS Manager -> HTTP Response Headers to remove it. But it's not there.

I tried adding my own header as suggested here: https://stackoverflow.com/questions/6666423/overcoming-display-forbidden-by-x-frame-options to no avail.

I also tried changing a SharePoint setting suggested here: Disabling X-FRAME-OPTION: SAMEORIGIN HTTP Response Header on SharePoint/PowerPivot xlsviewer.aspx. That didn't work either.

It's not a proxy adding it or anything because other SharePoint sites on the network do not have the header.

Is there another place x-frame-options could be set?

UPDATE: After more investigating, it turns out only the SharePoint Excel Services page (xlviewer.aspx) includes x-frame-options = SAMEORIGIN. So one would assume there's a setting in SharePoint.

nthpixel
  • 153
  • 1
  • 7

1 Answers1

1

So it doesn't look like you can turn it off in SharePoint Admin. I ended up installing an HttpModule to strip out offending header and it works great. http://ventigrate.codeplex.com/releases/view/79825

nthpixel
  • 153
  • 1
  • 7
  • Removing the `X-Frame-Options: SAMEORIGIN` header will expose your site to Clickjacking attacks. You should use `X-Frame-Options: ALLOW-FROM https://www.example.org` or, better, replace it with `Header set content-security-policy frame-ancestors 'self' https://www.example.org`. – Mircea Vutcovici May 24 '16 at 17:29