Framed Office Web Apps SharePoint 2010

In a project I'm working on we wanted to use Office Web Apps in SP2010 to preview selected documents in the browser. To do so we've created a very simple web part that renders an I-Frame with the URL set to one of the Office Web Apps urls depending on the document extension. Unfortunately the X-Frame header, that is added by the Office Web Apps service, prevents Internet Explorer to render the documents in an I-Frame! To solve this we've create a very simple HttpModule that checks for the header and changes the value from "DENY" to "SAMEORIGIN". This post simply shows the code for such a module that enables previewing of documents with Office Web Apps inside an I-Frame

The code

/// <summary>
/// The XFrameOptionsModule loosens the x-frame policy from DENY to SAMEORIGIN
/// </summary>
public class XFrameOptionsModule : IHttpModule
{
    private const string XFrameOptionsHeaderName = "X-FRAME-OPTIONS";

    /// <summary>
    /// Initializes a new instance of the <see cref="XFrameOptionsModule"/> class.
    /// </summary>
    public XFrameOptionsModule()
    {
    }

    /// <summary>
    /// Disposes of the resources (other than memory) used by the module that implements <see cref="T:System.Web.IHttpModule"/>.
    /// </summary>
    public void Dispose()
    {
    }

    /// <summary>
    /// Initializes a module and prepares it to handle requests.
    /// </summary>
    /// <param name="context">An <see cref="T:System.Web.HttpApplication"/> that provides access to the methods, properties, and events common to all application objects within an ASP.NET application</param>
    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += ChangeXFrameOptionsHeaderToSameOrigin;
    }

    /// <summary>
    /// Changes the X-Frame-Options "DENY" header to "SAMEORIGIN".
    /// </summary>
    /// <param name="sender">The HttpApplication that triggers the event.</param>
    /// <param name="e">The <see cref="System.EventArgs"/> instance containing the event data.</param>
    private void ChangeXFrameOptionsHeaderToSameOrigin(object sender, EventArgs e)
    {
        HttpApplication application = (HttpApplication)sender;            
        HttpResponse response = application.Response;
            
        string headerValue = response.Headers[XFrameOptionsHeaderName];
        if (headerValue != null && headerValue.Equals("DENY", StringComparison.OrdinalIgnoreCase))
        {
            response.Headers[XFrameOptionsHeaderName] = "SAMEORIGIN";
        }
    }
}

All you have to do now is to add this module to the web.config using a SPWebConfigModification inside a feature receiver.

Cheers,

Wes

2 Comments

  • Reply

    Hey Wesley,

    This is perfect solution for those we have got server side access but do you know how to it using client object model or through any client side scripting??

  • Reply

    @Naresh, unfortunately there is no way of doing it client side. The header is set hardcoded by Microsoft, so it is not configurable. In depends on the browser you use if the header is actually used or not.

    The only client option you have is to place a proxy server(ISA, TMG) in between and let the proxy replace the header. This would be a possible solution if you have hosted SharePoint you are accessing from inside your intranet environment where every computer uses the same proxy server.

    Cheers,
    Wes

Comments have been disabled for this content.