IFraming SharePoint-hosted pages in apps


This post is brought to you by Matt Swann, Senior Security Engineer on the SharePoint security team, and Humberto Lezama-Guadarrama, Program Manager on the Office Developer Platform team.

When you build apps for SharePoint 2013 (or even classic solutions) you can host pages on SharePoint. Often, you will also want to IFRAME those pages in other experiences, for example, when using app parts. By default, SharePoint 2013 prevents cross-domain IFRAMING of pages as a security measure to prevent clickjacking. This post explains what clickjacking is, how SharePoint prevents it, and how to allow your pages to be IFRAMED if your scenarios call for it.

Clickjacking

Clickjacking is a web attack that tricks a victim into clicking a link or button that they did not intend to click. An attacker’s website may exploit a clickjacking vulnerability by hosting the target page in an IFRAME and layering benign content around it, so that the victim will click the desired link. For more information, see the OWASP guidance on clickjacking.

To defend against clickjacking exploits, a site may prevent its pages from being loaded in an IFRAME. It can do so by setting an X-Frame-Options header in the HTTP response, which instructs the browser to disallow framing. For more details about X-Frame-Options, see the post IE8 Security Part VII: ClickJacking Defenses on IEBlog. Microsoft also published a KB article, Mitigating framesniffing with the X-Frame-Options header, which describes how to configure IIS to send this header.

SharePoint 2013 uses the X-Frame-Options header to prevent its pages from being targeted by a clickjacking attack. Each HTTP response sends an X-Frame-Options: SAMEORIGIN header, which indicates that this page must not be loaded in an IFRAME if the outer (hosting) page is on a different domain than the SharePoint page. This has some implications for IFRAME scenarios with SharePoint:

  • SharePoint pages that host external content in an IFRAME are not affected. For example, if you IFRAME a Bing Map, a page hosted on Windows Azure, or some other hosting service.
  • SharePoint pages that host other pages from the same SharePoint site in an IFRAME are not affected. For example, if you have a page in your app that IFRAMES another page within the same app.
  • SharePoint pages that host other SharePoint pages located in a different domain in an IFRAME will display an error in the IFRAME, usually “This content cannot be displayed in a frame“. For example:
    • Using an app part to display a page hosted on your app web displays an error unless you explicitly opt-out of the IFRAMING protection. This is because app webs are isolated for security reasons. 
    • IFRAMING content from the –my domain into a different domain displays an error.  A typical case is trying to IFRAME a my-site page into a team site.

Note: HTML pages hosted on app webs aren’t affected by the clickjacking protection. They can be IFRAMED without restrictions because they are pages explicitly authored by the app developer.

Allowing your SharePoint-hosted pages to be IFRAMED

SharePoint page developers can opt-out of clickjacking protection by adding the AllowFraming control to their .aspx pages:
<WebPartPages:AllowFraming runat=”server” />

This control instructs SharePoint not to send the X-Frame-Options header when this page is requested. Without the X-Frame-Options header, the page is able to be IFRAMED.

Note: When you are using any of the Microsoft developer tools, such as Visual Studio, this Web Part is automatically added when creating new pages.

SharePoint page developers should carefully evaluate whether their page may be vulnerable to a clickjacking exploit when the AllowFraming control is used. Their page must not expose forms, buttons, or other functionality that could allow a user to modify content or change settings that affect security.

Additional Internet Explorer “zones” considerations

When you are working with SharePoint on Office 365 (also known as SharePoint Online) you may run into an error when viewing apps that use Web Parts, as described in this forum thread. While the symptoms seem similar, getting a “This content cannot be displayed in a frame” message, the root cause of the issue is different. What happens in the case discussed in the forum is that sites involved in SharePoint authentication may end up in different IE “zones” and so not be able to share cookies. This results in attempting to display a login page within an IFRAME, which can’t be done for security reasons. This is a known issue that affects only Internet Explorer (other browsers don’t have security zones) and folks on various teams are working on a resolution. You can monitor the referenced thread for any updates.

Also, if you are using our cross-domain library, you may want to take a look at the blog post Solving cross-domain problems in apps for SharePoint. It has a reference about how you can overcome the “zones” issue when using our library on pages that are not SharePoint-hosted.

As always, if you have comments or questions please let us know or hit our forums.

Happy coding!

Comments (23)

  1. Francisco Euzebio da Cruz says:

    Cada oportunidade nos é oferecido para aprender algo novo e interessante em sites, blogs e redes sociais. Isto, nos socializa ao direito da informação e do conhecimento.

  2. Hi,

    I've a Sharepoin-hosted app, named A, with a default Default.aspx page.

    On top of this page I wrote:

    <asp:Content ContentPlaceHolderID="PlaceHolderAdditionalPageHead" runat="server">

    <WebPartPages:AllowFraming ID="AllowFraming1" runat="server" />

    Now I've another Sharepoin-hosted app, named B, where I wrote the following line:

    <iframe src="app-5a060d47f5926e.apps.code/…/Default.aspx height="600" width="900" ></iframe>

    but when I try to see the app B by the app A I receive the following error:

    Refused to display document because display forbidden by X-Frame-Options.

  3. I have resolved the issue I was facing with iframing,

    Super thanks to Author,

    Sarah

    browse for Sharepoint

    http://www.sqlservermanagementstudio.net

  4. Kaviya says:

    I have created Power viewer report(.rdlx) in SharePoint 2013(On premise). We tried to show this report in CRM 2011 .

    But I got an error message "This content cannot be displayed in a frame".  

    Is it Possible to show SharePoint 2013 BI report in CRM 2011?

    If possible means please give solution for this.

    Thanks in Advance .awaiting reply.

  5. kaviya says:

    Hi

    I have created power viewer report(.rdlx) in SharePoint 2013. And I tried to show in CRM 2011 iframe,

    But it shows below error message:

    "This content cannot be displayed in a frame"

    Is it possible to show SharePoint 2013 power viewer(.rdlx) report in CRM 2011?

    Note: But we are showing SharePoint 2010 power viewer report in CRM 2011,Its working fine.

    Thanks in Advance,

  6. Milt Haynes says:

    Unable to insert iframe in html snippet. iframe file is hosted on same domain as public facing website. Screen shot at link below.

    bgge3-public.sharepoint.com/…/iframe_error.jpg

  7. Gary D says:

    Hi Humberto,

    That's a good solution and it works for webpart pages.

    But not for application pages (especially upload.aspx)

    I have a document library that I'm displaying as an IFRAME and when a user tries to upload document, it pulls the upload.aspx from layouts/15 folder. And this is where it errors out as it detects that its being called from an IFRAME.

    I tried editing upload.aspx but none of the edits had any effect on the page.

    Any ideas?

  8. Alex says:

    Hi kaviya,

    Did you solve the issue, I am in a same boat, need to display sharepoint 2013 powerview report in asp.net mvc application and getting the same error message. if you have solved the issue can you please share.

    Thanks

    Alex

  9. HelpInSP says:

    Hi Gary/Humberto,

    I have a similar issue as Gary. I get an access denied error (for init.js) when i embed the Sharepoint app inside IFRAME in my webapp. Any help is appreciated.

    Thanks.

  10. Sudip Misra says:

    My iframe file is hosted on same domain(_layout application page) as public facing website. It says "Unknown server tag 'WebPartPages:AllowFraming'."

  11. Rich Horsley says:

    Hi, did anyone ever solve this issue for framing with the upload.aspx file? Trying to correct this myself right now and help would be appreciated! I wish I could just disable this feature globally for the whole sharepoint site, it's causing me a total nightmare :/

    Rich

  12. Marius says:

    Hi kaviya,

    Did you solve the issue, I have the same problem, need to display sharepoint 2013 site in Oracle BI application and getting the same error message. if you have solved the issue can you please share.

    Thanks

    Marius

  13. Shai Petel says:

    Hi Humberto,

    I have an interesting case with one customer – he is using my app and I have a page marked with <WebPartPages:AllowFraming runat="server" />

    For some reason this page does not load in an iFrame for him on his host web, only on IE.

    The same page works on other browsers, and the same app works on other tenants in IE as well – only this tenant, only IE, doesn't work.

    Any ideas?

  14. humlezg says:

    Hello Shai,

    Can you repro the problem on IE on your end?  Because it sound like there might be an issue with how "zones" are configured. Most likely what is happening is that cookies aren't being shared because different trust zones and the login page attempts to be Iframed so the error that you are seeing is likely not from your page but from the login page which can't be iframed by design.  I suggest to double check the IE zones trust configuration and ensure that everything is on the same zone. Chrome and Firefox don't have the security zones feature so that is likely why you are don't seeing issues there.

  15. Oscar says:

    Hi All,

    Im using SharePoint 2013 online and Office 2013

    I am working on an access app project which would allow the user to upload documents to the documents folder in SP from within an Iframe in an access app all in the same SP.

    The idea is that rather than having to move from one IE tab to the other the user can drag and drop the document in the iframe which will be in the pop up. then have a SP document list displaying bellow the iframe to confirm that the file has been indeed uploaded. When I load the app I get a "This content cannot be displayed in a frame" my idea is based in a book "Professinal Access 2013 Programming" chapter 10 Inlining a web app in access web app. I have also read that I can have a website viewer which can display a website, folder or file but its asking me for the path which I don't know and it doesn't take URLs.

    I hope im clear and you guys can help me resolve this task.

    Thanks

  16. Prasad says:

    Is there any update on this? When can we expect a fix for this issue?

  17. Prashant says:

    Can you please provide update on this?

  18. Victor Benil says:

    Una actualización del tema, estoy con los mismos problemas…

  19. bill padmore says:

    So after more pain than I can remember I have come to the following conclusion.

    In order to allow the SP designer to work you have to enable annoymous authentication in IIS for the SP site.

    In order to get the upload.aspx form to open in an IFrame you need to disable annoymous authentication in IIS!

    You also have to add the <WebPartPages:AllowFraming runat="server" ></WebPartPages:AllowFraming> tag to both the

    modified minimal master used for the list page and the default master used for the upload.aspx page.

    Once modifications are complete you need to return the IIS auth mode to annonymous = disabled.

  20. Mahendra Nikam says:

    I have resolved the issue I was facing with iframing,

    Thanks to Author,

    Mahen

  21. swanl98 says:

    Hi Mahendra

    Can you please share what you did to resolve this.  I got the same issue.

    Thanks

    Swanl

  22. Sam Tocco says:

    Excellent article but I am still getting the cannot display in a frame message even after trying everything outline in it.

    I created a simple provider hosted app part in Visual Studio 2013 and I am attempting to get it to display in a developer site collection in my SharePoint Online. I used SharePoint Designer to add the AllowFraming tag into my master page for the developer site and still get the error.  When I look at the header in Fiddler I still see the "X-Frame-Options:SAMEORIGIN" being added so it appears its not honoring the tag for some reason.  I am not sure if that has anything to do with because its SharePoint Online and there is some extra protection in place that I am not aware of.

    Any suggestion or guidance is greatly appreciated.

  23. Toni says:

    I often have this problem in IE (fine with Chrome or Firefox), The only thing works for me:

    In IE, delete browsing history, close IE, wait for a while, then restart IE