Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including
Stack Overflow
, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Visit Stack Exchange
SharePoint Stack Exchange is a question and answer site for SharePoint enthusiasts. It only takes a minute to sign up.
Sign up to join this community
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
1.Since you are admin , the iframe options are setup in the IIS and its mainly done to avoid Frameable clicking jacking attacks.
2.Page Level :
I recommend you goto the specific html page with iframe and add a meta tag eg
meta name=”X-FRAME-OPTIONS” content=”ALLOW-FROM” />
If the value contains the token ALLOW-FROM origin, the browser will block rendering only if the origin of the top-level browsing context is different than the origin value supplied with the Allow-From directive. For instance, if
http://shop.example.com/confirm.asp
contains the X-FRAME-OPTIONS directive with the value Allow-From
https://partner.affiliate.com
, then the page may be framed only by pages from the
https://partner.affiliate.com
origin.
3.IIS setting :
The below mentioned details will ensure your entire site is configured with the X-Frame-Options specified above and all the pages in your site would be affected.
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
1. Open Internet Information Services (IIS) Manager.
2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
3. Double-click the HTTP Response Headers icon in the feature list in the middle.
4. In the Actions pane on the right side, click Add.
5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
6. Click OK to save your changes.
The "ALLOW-FROM" is generally not supported by most of the broswers.
Refer:
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
–
You can use option ALLOW-FROM of X-FRAME-OPTIONS (I have not tested this). Beware that this is not supported by all the browsers.
Add to your master page the following code
<%@ Register Tagprefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPages" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<WebPartPages:AllowFraming runat="server"/>
Pay attention because it only works with ASPX pages.
Use the
URL Rewrite
IIS extension to remove the X-Frame-Options. You should check the origin of the request and remove the X-Frame-Options from the response. To do this, install the extension, go to the URL Rewrite config, add a new variable called RESPONSE_X-FRAME-OPTIONS and then you should define a new blank rule rewriting the value of X-FRAME-OPTIONS with an empty string.
–
Thanks for contributing an answer to SharePoint Stack Exchange!
-
Please be sure to
answer the question
. Provide details and share your research!
But
avoid
…
-
Asking for help, clarification, or responding to other answers.
-
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our
tips on writing great answers
.
