views:

249

answers:

2

I am developing a web page that needs to display, in an iframe, a report served by another company's SharePoint server. They are fine with this.

The page we're trying to render in the iframe is giving us X-Frame-Options: SAMEORIGIN which causes the browser (at least IE8) to refuse to render the content in a frame.

First, is this something they can control or is it something SharePoint just does by default? If I ask them to turn this off, could they even do it?

Second, can I do something to tell the browser to ignore this http header and just render the frame?

A: 

If the developers of IE8 did their job well (and I believe they did), it is impossible for you to ignore this X-Frame-Options. You can open it in a completely new window.

Steven
Well, it's just an HTTP header. I have complete control over the content that renders on my page. If my only goal was to render static content, I would just do a httpwebrequest on the URL and render the returned content directly to the iframe, ignoring ALL the HTTP headers. The problem is that the very next time an action they take causes that frame to refresh, it won't work any more.
Daniel Coffman
+1  A: 

If the 2nd company is happy for you to access their content in an IFrame then they need to take the restriction off - they can do this fairly easily in the IIS config.

There's nothing you can do to circumvent it and anything that does work should get patched quickly in a security hotfix. You can't tell the browser to just render the frame if the source content header says not allowed in frames. That would make it easier for session hijacking.

If the content is GET only you don't post data back then you could get the page server side and proxy the content without the header, but then any post back should get invalidated.

Keith