Ability to use <frame>, <iframe>, <object>, <embed> on non .sharepoint.com websites to embed content from .sharepoint.com
Currently SharePoint returns https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options header when trying to embed (with <frame>, <iframe>, <object>, <embed>) documents from external websites. The header is set to "sameorigin" that simply means only pages hosted on .sharepoint.com domain can do that.
So let's see below example:
1. Company XYZ has an internal domain: xyz.com. Company is using SharePoint and stores documents e.g.: pdf's there.
2. Company XYZ has an internal technical portal: portal.xzy.com and want's to s embed documents from SharePoint.
3. Because of X-Frame-Options returned along for any pdf/doc/xls etc document #2 is impossible as web browsers will not allow to do this kind of embedding.
There are modern alternatives that can be used instead of old X-Frame-Options header.
For instance the Content-Security-Policy header, which along many other policies can white-list what URLs are allowed to host SharePoint page/resources/files in a frame, using the frame-ancestors directive. frame-ancestors supports multiple domains and even wildcards, for example:
Content-Security-Policy: frame-ancestors 'self' *.sabre.com;
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
Therefore, SharePoint site administrator should have an ability to configure domains that the documents can be loaded from.
ludwig Hallgren commented
This would be excellent!
Doug Steckel commented
Is there any x-frame-option that could be used with a tenant level feature to provide a trusted/white listed set of domains for cross domain embeds?
great idea, must needed.
Best. Feature. EVER.
what an excellent idea! only brilliant person could have thought of it!