This project is read-only.

Permissive XFrame Header

NOTE: This is a Farm Solution (Full Trust Code), NOT a Sandbox Solution

A SharePoint 2010 and SharePoint 2013 module that will allow SharePoint, Excel Services, Office Web Apps or InfoPath Forms Services to be rendered inside cross-domain iframes.

This post is a revision of an old blog post on rendering Excel Services in an iframe on a different domain. This is prohibited because a HTTP response header X-FRAME-OPTIONS: SAMEORIGIN is added to the response. The issue isn’t limited to Excel Services but is applicable to any SharePoint-hosted page that you want to visualize in an iframe.

Consider the following:

  • SharePoint 2013 will always render the X-FRAME-OPTIONS header, even for regular pages. Adding an AllowFraming control to the page fixes that, but doesn’t cover all situations
  • You can’t add the AllowFraming control to Office Web Apps or InfoPath Forms Server (“FormServer.aspx”)
  • Clicking on (pdf) documents in a Document Library in the iframe will fail to load them because the document is a different request
  • You have a basic “integration” between different systems (like Dynamics CRM) and SharePoint content that uses iframes

The content cannot be displayed in a frame


This is a HttpModule that can be activated per Web Application by Web Application Feature and will ensure that all pages will render inside an iframe. The module will set values that will prevent SharePoint from trying to inject the header in the first place, but for some exceptions (Office Web Apps 2010, XLViewer 2013) it is still required to actually remove the header at the end of the request.

Installation and activation

Download from here (Ventigrate Codeplex Repository)

Deploy the WSP (farm solution) to the SharePoint Farm

Activate the Web Application Feature for the Web Application you want to host inside an iframe


Last edited Mar 19, 2015 at 11:38 AM by vandest, version 13


kelvinyam Feb 13 at 6:08 AM 
Hi, the solution is great, it solved the problem of pdf document display in iframe. However, when I click a .txt file in iframe, the error message comes out again. any ideas?

i2seesharp Apr 9, 2015 at 9:00 AM 
Does this work with HTTPS, too?

Kind regards!