SharePoint Content Security Policy Help

Eddie Yee 5 Reputation points
2023-08-18T03:01:17.24+00:00

Hi,

I'm trying display documents hosted in Sharepoint in external web page using iframe. I'm using the embedded link provided in the Sharepoint documents itself. The Excel document display fine but the Word document does not load and the console shows Content Security Policy error as shown below.

Tried the Ignore X-Frame Header extension and loads the Word document on Chrome but not on Edge. This is not a solution for a group of users. Also tried adding the external web domain in Sharepoint HTML Field Security but it does not work.

Any idea how to fix this?

Refused to frame 'https://xxx.sharepoint.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com".

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,668 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Scott D. Carson 5 Reputation points
    2024-01-24T22:15:57.24+00:00

    There are plenty of good reasons why a customer might want to frame sharepoint content, and the OP wasn't asking for advice on whether this was a good idea or not.

    The answer is, use the URL rewrite capability in IIS to rewrite the CSP header. Add server variable RESPONSE_CONTENT_SECURITY_POLICY. Then add a blank outbound rule and give it a name. Create a condition "Server Variable" "RESPONSE_CONTENT_SECURITY_POLICY" "match with regular expression" and value ".*" - i.e., match on any value or a missing value. Then in the action section choose Replace, and put the CSP header value you want.

    If you search for "modify response header IIS url rewrite" you'll find a tutorial that explains all this.

    1 person found this answer helpful.
    0 comments
  2. Yanli Jiang - MSFT 21,611 Reputation points Microsoft Vendor
    2023-08-18T06:30:56.9566667+00:00

    Hi @Eddie Yee ,

    This is by design. Loading pages in this manner will not work because the HTTP header property is set to the value SAMEORIGIN.X-FRAME-OPTIONS

    Overriding this property by setting the web part to AllowFraming isn't recommended for security reasons. There are several functionalities that will not operate correctly when loaded into iFrame. (This behavior will vary from browser to browser.)

    For more information, please refer to:

    https://learn.microsoft.com/en-us/sharepoint/troubleshoot/sites/cannot-display-sharepoint-pages-in-iframe

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.