Hi,

My website is very conservative about which other websites can load my pages in an iframe, to prevent clickjacking (https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Preventing_Clickjacking).

I'm building an Outlook add-in, so I expect that my pages at www.example.com/outlook_addin/read and www.example.com/outlook_addin/compose will be iframed from outlook.live.com and outlook.office365.com.

But I also wanted to support Exchange Web Servers hosted on other domains, like outlook.othercompany.com. Since I won't be able to know which domains are legitmate EWS hosts beforehand, it seems like I'll have to turn off my default clickjacking protection.

I've already read https://github.com/OfficeDev/office-js-docs/blob/master/docs/develop/privacy-and-security.md#tips-to..., but still had questions:

- If Office.js is initialized, is it safe to assume that the host is a legit EWS installation, and not an attacker trying to clickjack?

- As a follow-on to the above question, what information is available about *how* Office.js detects that the host is a legit EWS installation?

I'm just looking to be diligent security-wise here :).

Thanks!

Daniel