This error happens when a user is trying to consume SharePoint 2013 pages into an Iframe element on a different domain website (which can be another SharePoint farm). SharePoint 2013 created this security measure to block cross-domain Iframing in order to prevent clickjacking (like the goldfish it’s pretending to be something else). It is a built-in, by design, functionality Microsoft added to SharePoint 2013, enforcing the HTTP response header to include X-FRAME-OPTIONS: SAMEORIGIN. ( If you just want to know how to bypass the behavior follow this link )
You can view the X-FRAME-OPTIONS element value using the Explorer dev tool (F12). By navigating to the Network > top navigation you can find in the network log X-FRAME-OPTIONS element with the value SAMEORIGIN, which mean allow framing only if the site that wants to consume the pages is in the same domain as the SharePoint pages ( the source content).
This behavior is not restricted to SharePoint, any IIS hosted site can be set to restrict Iframing , all you need is to set IIS Http response header to include the above tag with SAMEORIGIN value. some .Net applications will include this restriction within the Web Config file.
So now that we have a little bit of background, the real question is if you really want to bypass this behavior. My take on this is complicated as my personality, it really depends on your environment. If your web-site is an intranet platform for examples, which serves web pages only to your company’s employees In a protected zone and requires user authentication, your risk may be lower than internet website that is open to everyone. It is also depends on your company polices and guidelines regarding Iframing and avoiding clickjacking. I am sure that if you, or your company, had the bad experience to be a victim of clickjacking, or just content abuse, where your content is hijacked by an unauthorized site, you will be less comfortable or incline to bypass this build in restriction.
Side note about Iframe in general, yes this html element is till supported, and HTML 5 has two new attributes for iframe: seamless
, and the intriguing sandbox
.
Some of the options available :
- Allow framing on a Master Page – You can use this option only if you are sure that the content of your site collection is not sensitive and can be consumed within other sites iframe. (How To instructions for master page Iframing)
- Allow framing to a specific page – you can target specific pages within SharePoint to be consumed by iframe, it may require to detach a page from a layout, and create a dedicated muster page that allows Iframing.( instruction on page level Iframing … coming soon )
- Use SharePoint API to consume data rather then Iframe through CSOM, the downside is that you will need to put effort in redesigning and rebranding the data, and write code to retrieve the data. the pros you have more control on the look a