I'm working on an Outlook Web Add-In and I'm struggling with knowing what value to set for the X-Frame-Options: ALLOW-FROM header. As far as I know, users may access Outlook via three different domains (office.com, office365.com and live.com). Does anyone know how I can tell which site is making the request, so I can set the header appropriately?
The add-in needs to be able to run in an iFrame in order to work in Outlook Web, thus X-Frame-Options header should not be included at all. ALLOW-FROM can't really be used because the number of domains to list is way more than 3 mentioned, and that list is growing – there are many cases where various users access Office365 and outlook.com using custom domains.
来源:https://stackoverflow.com/questions/48334839/x-frame-options-for-outlook-web-add-ins