SharePoint 2013 and X-FRAME-OPTIONS: SAMEORIGIN

I’ve got a few lightboxes in my SharePoint 2013 Web Application, and one of the pages I need to launch in a lightbox iframe contains Plupload. When I clicked on the link to launch the lightbox, nothing appeared in Chrome and I got an error message in Internet Explorer. Apparently it’s due to a security feature to combat clickjacking.

I tried to fix the issue by using meta tags and also amending the response headers in IIS, but neither appeared to work. What did work was the Ventigrate Permissive XFrame Header, but rather than include this plugin I just included the class in my project and it worked like a charm. So….

Use the following class, remembering to specify the correct namespace for your project:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Web;
namespace AlkaneNamespace
{
public class PermissiveXFrameHeaderModule : IHttpModule
{
public void Dispose()
{
}
public void Init(HttpApplication context)
{
context.BeginRequest += context_BeginRequest;
context.EndRequest += context_EndRequest;
}
protected void context_BeginRequest(object sender, EventArgs e)
{
HttpApplication application = (HttpApplication)sender;
HttpContext context = application.Context;
// General requests
if (!context.Items.Contains("AllowFraming"))
context.Items.Add("AllowFraming", String.Empty);
// IPFS requests
if (!context.Items.Contains("FrameOptionsHeaderSet"))
context.Items.Add("FrameOptionsHeaderSet", String.Empty);
}
protected void context_EndRequest(object sender, EventArgs e)
{
HttpApplication application = (HttpApplication)sender;
HttpContext context = application.Context;
// XLViewer
context.Response.Headers.Remove("X-FRAME-OPTIONS");
}
}
}

now in your web.config, add the reference to your class, namespace and assembly like so:

<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="PermissiveXFrameHeaderModule" />
<add name="PermissiveXFrameHeaderModule" type="AlkaneNamespace.PermissiveXFrameHeaderModule, AlkaneSolutions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=aa13051522563c02" />
</modules>
</system.webServer>
</configuration>

AlkaneNamespace is the namespace of the class, PermissiveXFrameHeaderModule is the name of the class and AlkaneSolutions is the name of the assembly in the GAC. To get the version/PublicKeyToken information you can follow the post here.