none
SharePoint 2013 Search Center In Iframe

    Question

  • I am trying to provide the search page in an iframe on a different-domain site. Unfortunately, init.js throws an exception in this context (as it tries to access window.frameElement, which belongs to the other domain).

    Offending line:

    if(window.frameElement!=null||typeof SPUpdatePage==="undefined"||typeof SPUpdatePage!=="undefined"&&SPUpdatePage(a))

    Can be fixed by changing to (say)

    var framed;try{var test = window.frameElement}catch(frameException){framed = true;}; if((!framed && window.frameElement!=null)||typeof SPUpdatePage==="undefined"||typeof SPUpdatePage!=="undefined"&&SPUpdatePage(a))

    Obviously changing the init.js file is non-ideal. Anyone ran into this/have a more elegant solution?

    Tuesday, February 25, 2014 9:33 PM

Answers

  • Hi  Kaleb D,

    By default, SharePoint 2013 prevents cross-domain IFRAMING of pages as a security measure to prevent clickjacking . SharePoint 2013 uses the X-Frame-Options header to prevent its pages from being targeted by a clickjacking attack. Each HTTP response sends an X-Frame-Options: SAMEORIGIN header, which indicates that this page must not be loaded in an IFRAME if the outer (hosting) page is on a different domain than the SharePoint page. This has some implications for IFRAME scenarios with SharePoint:

    1. SharePoint pages that host external content in an IFRAME are not affected.
    2. SharePoint pages that host other pages from the same SharePoint site in an IFRAME are not affected.

    SharePoint page developers can opt-out of clickjacking protection by adding the AllowFraming control to their .aspx pages:

    <WebPartPages:AllowFraming runat="server" />


    This control instructs SharePoint not to send the X-Frame-Options header when this page is requested. Without the X-Frame-Options header, the page is able to be IFRAMED.

    For more  information, you can refer to the blog :

    http://blogs.msdn.com/b/officeapps/archive/2012/12/12/iframing-sharepoint-hosted-pages-in-apps.aspx

    Best Regards,

    Eric


    Eric Tao
    TechNet Community Support


    Thursday, February 27, 2014 7:09 AM

All replies

  • Hi  Kaleb D,

    By default, SharePoint 2013 prevents cross-domain IFRAMING of pages as a security measure to prevent clickjacking . SharePoint 2013 uses the X-Frame-Options header to prevent its pages from being targeted by a clickjacking attack. Each HTTP response sends an X-Frame-Options: SAMEORIGIN header, which indicates that this page must not be loaded in an IFRAME if the outer (hosting) page is on a different domain than the SharePoint page. This has some implications for IFRAME scenarios with SharePoint:

    1. SharePoint pages that host external content in an IFRAME are not affected.
    2. SharePoint pages that host other pages from the same SharePoint site in an IFRAME are not affected.

    SharePoint page developers can opt-out of clickjacking protection by adding the AllowFraming control to their .aspx pages:

    <WebPartPages:AllowFraming runat="server" />


    This control instructs SharePoint not to send the X-Frame-Options header when this page is requested. Without the X-Frame-Options header, the page is able to be IFRAMED.

    For more  information, you can refer to the blog :

    http://blogs.msdn.com/b/officeapps/archive/2012/12/12/iframing-sharepoint-hosted-pages-in-apps.aspx

    Best Regards,

    Eric


    Eric Tao
    TechNet Community Support


    Thursday, February 27, 2014 7:09 AM
  • Hi, 

    You need not to modify the "init.js" file. You can just overwrite the code by monkey patch in JavaScript as discussed in this post.

    To fix this issue either you can place this github Gists code in Script Editor or placed JavaScript file reference in your layout page.

    For more details you can use the below mentioned blog post. Where you able to find the code.  

    http://sharepointfordeveloper.blogspot.com/2016/08/sharepoint-2013-search-center-in-iframe.html

    Thursday, September 01, 2016 10:34 AM