The case
The issue arose by opening a document from SharePoint in an Office application. Office applications authenticate through an embedded browser. Many of you have seen this if SharePoint is secured by ADFS. Every time we reached a specific page, the embedded browser closed and displayed the following error:
Your organization's policies are preventing us from completing this action for you. For more info, please contact your help desk.
A similar issue was posted by a Microsoft security engineer. He resolved the problem by adding an initial src URL to the iframe he was using.
The search for a solution
By following this blog post from Telerik I was able to change production HTML.
- Trace the network traffic
- At some point, a call to your endpoint is made (for ex. to https://originalhost/customIframe.html)
- Create a dummy HTML-file you want to serve instead of the production code (you can copy/paste the production code from the Fiddler trace to this HTML-file)
- Right-click on the request – Add new rule
- Add a rule similar to the screenshot above
Make sure “Auto Responder” and your rule is active by checking if the toggle is green. Otherwise, you won’t hit the forged HTML-file.
Bonus
I was debugging in the embedded browser of Office. So, no JavaScript console available to see what’s really going on. To conquer this, I had to download Visual Studio 2017 (you find the reason why here), created a web project, attached the debugger to the Office application, and displayed the JavaScript console under Debugging – Window – JavaScript Console.
Conquering the problem
First I tried to render an iframe with a relative URL inside the Office application embedded browser:
<iframe src="/relative/path/logo.png" ></iframe>
This worked.
The following resulted in the error stated above:
<iframe src="https://www.google.com"></iframe>
This led me to the conclusion that iframes with external URLs are not allowed. Alright. If I just knew how to change this behavior. Group policy is not an option since the guests will be external users.
With posting my question to Stackoverflow I ended my day. I would not say successful but at least a little bit wiser.