I have a MS-WOPI client in Sharepoint that correctly accepts URL requests to open Word documents like:
That works fairly good either by opening the URL directly in a browser, or setting it as the source in an iframe like this:
<iframe _ngcontent-ryg-c10="" frameborder="0" height="750" width="100%" src="https://myCompany.sharepoint.com/:w:/r/teams/Test-EZ-CO-LON/Test-CO-L1227/_layouts/15/WopiFrame.aspx?sourcedoc=%7BCDE12345-ABC1-4A5F-9097-008E876E4E66%7D&action=interactivepreview"></iframe>
So, that URL works perfectly fine for both direct opening and using it in an iframe.
The problem is, that if change the WOPI action value from "interactivepreview" to an edition action value like "edit", for example, like this:
the URL can still be opened correctly when opened directly in the Web browser, but if this new URL is used in an iframe like this:
<iframe _ngcontent-ryg-c10="" frameborder="0" height="750" width="100%" src="https://myCompany.sharepoint.com/:w:/r/teams/Test-EZ-CO-LON/Test-CO-L1227/_layouts/15/WopiFrame.aspx?sourcedoc=%7BCDE12345-ABC1-4A5F-9097-008E876E4E66%7D&action=edit"></iframe>
Then Sharepoint refuses to frame, sending this content security policy error message:
Refused to frame 'https://myCompany.sharepoint.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com". So, in summary:- For non-editable WOPI actions (e.g. "interactivepreview") the URL works well for all scenarios (both within an iframe and non-iframe).
- For editable WOPI actions (e.g. "edit"), the URL works well only if consumed directly (non-iframe).
- For editable WOPI actions, the URL does not work when used in an iframe because the aforementioned error.
Is this a WOPI misconfiguration, a Sharepoint misconfiguration, a client (browser) request misconfiguration, or something else?