SharePoint Modal Dialog (SP.UI.ModalDialog.showModalDialog(options)) is one of the most commonly used developer features. DocRead and DocSurvey both utilise this “out of the box” modal dialog box to display forms and information to the user.
Recently, when we were working on the DocSurvey application, we came across this challenge (one of the many challenges) of rendering a DocSurvey (enhanced SharePoint Survey) from a different application domain in SharePoint 2013.
For Example: How do you ask a user to respond to a survey that was generated cross-domain / cross-site ? (e.g. the survey is saved in intranet.collaboration.com but is required to be filled in from mysites.collaboration.com).
In SharePoint 2013, if we try to display content from a different domain (within a modal window) using the SP.UI.ModalDialog , the browser will display a warning message and wont display the content as below.
The browser was throwing an error message because the SharePoint has requested the browser to display only the content from the same domain only using the Header (X-FRAME-OPTIONS”, “SAMEORIGIN”). It is because the SP 2013 Request module sets this header in the response header of each request.
Microsoft.SharePoint.ApplicationRuntime.SPRequestModule:
if (!httpContext.Items.Contains(SPRequestModule.AllowFramingFlag) && SPRequestModule.ContextCompatibilityLevel != 14)
{
httpContext.Response.AddHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
}
The code above sets this header if the AllowFramingFlag is not set and the CompatibilityLevel is not 14.
Solution:
After a bit of searching, I found the solution here about the Microsoft.SharePoint.WebPart.AllowFraming control for the above issue. To resolve this, simply add this control into your page (or code behind) on the page that we want to display in a cross domain modal dialog.
So this is what it does,
Microsoft.SharePoint.WebPartPages.AllowFraming
if (this.Context != null && !this.Context.Items.Contains(SPRequestModule.AllowFramingFlag)) {
this.Context.Items.Add(SPRequestModule.AllowFramingFlag, "1");
}
It just simply sets the flag so that the Request module will not set the X-FRAME-OPTIONS header.