This post is a revision of an old blog post on rendering Excel Services in an iframe on a different domain. This is prohibited because a HTTP response header X-FRAME-OPTIONS: SAMEORIGIN is added to the response. The issue isn’t limited to Excel Services but is applicable to any SharePoint-hosted page that you want to visualize in an iframe.
Consider the following:
SharePoint 2013 will always render the X-FRAME-OPTIONS header, even for regular pages. Adding an AllowFraming
control to the page fixes that, but doesn’t cover all situations
You can’t add the AllowFraming control to Office Web Apps or InfoPath Forms Server (“FormServer.aspx”)
Clicking on (pdf) documents in a Document Library in the iframe will fail to load them because the document is a different request
You have a basic “integration” between different systems (like Dynamics CRM) and SharePoint content that uses iframes
This is a HttpModule that can be activated per Web Application by Web Application Feature and will ensure that all pages will render inside an iframe. The module will set values that will prevent SharePoint from trying to inject the header in the first place, but for some exceptions (Office Web Apps 2010, XLViewer 2013) it is still required to actually remove the header at the end of the request.
Please visit the Codeplex Repository to read more about this addon and for installation instructions: https://ventigrate.codeplex.com/wikipage?title=Permissive%20XFrame%20Header