Ability to use <frame>, <iframe>, <object>, <embed> on non .sharepoint.com websites to embed content from .sharepoint.com
Currently SharePoint returns https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options header when trying to embed (with <frame>, <iframe>, <object>, <embed>) documents from external websites. The header is set to "sameorigin" that simply means only pages hosted on .sharepoint.com domain can do that.
So let's see below example:
1. Company XYZ has an internal domain: xyz.com. Company is using SharePoint and stores documents e.g.: pdf's there.
2. Company XYZ has an internal technical portal: portal.xzy.com and want's to s embed documents from SharePoint.
3. Because of X-Frame-Options returned along for any pdf/doc/xls etc document #2 is impossible as web browsers will not allow to do this kind of embedding.
There are modern alternatives that can be used instead of old X-Frame-Options header.
For instance the Content-Security-Policy header, which along many other policies can white-list what URLs are allowed to host SharePoint page/resources/files in a frame, using the frame-ancestors directive. frame-ancestors supports multiple domains and even wildcards, for example:
Content-Security-Policy: frame-ancestors 'self' *.sabre.com;
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
Therefore, SharePoint site administrator should have an ability to configure domains that the documents can be loaded from.
Andy Clapham commented
Agree - we're trying to embed some content from our sharepoint in our NetSuite dashboards, but cannot embed modern pages.
For information, in old webpart pages, you could add an xml node
<WebPartPage:AllowFraming runat="server" /> to the master page, and this would allow embedding the sharepoint page elsewhere (uncontrolled by domain). See this how-to: https://www.workbooks.com/help/sharepoint-framing-setup
A proper solution for modern pages would be appreciated.
We discover similar, good that user's voice exists, but where are Microsoft comments?
Our case: we try to call iframe from the app that is in the domain that we Manage, iframe call file content from the SharePoint Online site that we Manage.
Refused to frame '<URL>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.stream.azure-test.net *.microsoftstream.com".
Why we, as domain admins and tenant admins cannot add our domain to this list?
Open the Word document in SharePoint, go to File -> Share and click on Embed. This gives you code that requires a login. It would be great if it would also automatically give you code that allows anonymous sharing.
ludwig Hallgren commented
This would be excellent!
Doug Steckel commented
Is there any x-frame-option that could be used with a tenant level feature to provide a trusted/white listed set of domains for cross domain embeds?
great idea, must needed.
Best. Feature. EVER.
what an excellent idea! only brilliant person could have thought of it!