Preventing clickjacking via Office.js instead of frame-ancestors and X-Frame-Options

Daniel Phan
Occasional Visitor



My website is very conservative about which other websites can load my pages in an iframe, to prevent clickjacking (https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Preventing_Clickjacking).


I'm building an Outlook add-in, so I expect that my pages at www.example.com/outlook_addin/read and www.example.com/outlook_addin/compose will be iframed from outlook.live.com and outlook.office365.com.


But I also wanted to support Exchange Web Servers hosted on other domains, like outlook.othercompany.com. Since I won't be able to know which domains are legitmate EWS hosts beforehand, it seems like I'll have to turn off my default clickjacking protection.


I've already read https://github.com/OfficeDev/office-js-docs/blob/master/docs/develop/privacy-and-security.md#tips-to..., but still had questions:

- If Office.js is initialized, is it safe to assume that the host is a legit EWS installation, and not an attacker trying to clickjack?

- As a follow-on to the above question, what information is available about *how* Office.js detects that the host is a legit EWS installation?


I'm just looking to be diligent security-wise here :).




Related Conversations
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies