Getting `HTTPS security is compromised` in ms-word addin on IE11

Question

As the title states, I'm having issues with displaying my page in an iframe using x-frame-options: sameorigin

Looking at possible solutions, I came across x-frame-options: allow-from url, which made no difference. All of my resources are also served via https. When using both x-frame-options: sameorigin and X-Frame-Options: allow-from url, the sameorigin header is disabled.

Also, documentation on x-frame-options found here:

# ALLOW-FROM uri 
This is an obsolete directive that no longer works in modern browsers. Don't use it. In 
supporting legacy browsers, a page can be displayed in a frame only on the specified origin 
uri. Note that in the legacy Firefox implementation this still suffered from the same problem 
as SAMEORIGIN did — it doesn't check the frame ancestors to see if they are in the same origin.
The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use 
instead.

I currently have the abovementioned frame-ancestors implemeted for other browsers' support, eg. Chrome, Safari, or Firefox, which is however unsupported by IE11. This is a security layer that I don't want to remove to avoid clickjacking.

Any advice?

Answer 1

As explained in the question, I found that when appending another x-frame-options header, the sameorigin was disabled.

So I modified the header slightly and found the following to work perfectly for IE11 and did not affect the other browsers:

res.set("X-Frame-Options", "SAMEORIGIN, ALLOW-FROM url");