Preventing clickjacking via Office.js instead of frame-ancestors and X-Frame-Options

Occasional Visitor



My website is very conservative about which other websites can load my pages in an iframe, to prevent clickjacking (


I'm building an Outlook add-in, so I expect that my pages at and will be iframed from and


But I also wanted to support Exchange Web Servers hosted on other domains, like Since I won't be able to know which domains are legitmate EWS hosts beforehand, it seems like I'll have to turn off my default clickjacking protection.


I've already read, but still had questions:

- If Office.js is initialized, is it safe to assume that the host is a legit EWS installation, and not an attacker trying to clickjack?

- As a follow-on to the above question, what information is available about *how* Office.js detects that the host is a legit EWS installation?


I'm just looking to be diligent security-wise here :).