The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in
Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
What is “Clickjacking”?
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a web user into clicking on something different from what the user thinks they are clicking on, this way there is a risk of potentially revealing confidential information or taking control of their computer while clicking on seemingly innocent web pages.
When you use this option, it means that the Shared Group tiles and the Workspace itself can be loaded in any IFrame on any website however this brings a high chance of security risks because the instance is vulnerable for Clickjacking.
When you use this option, you’re not able to load the Workspace or Shared Group tiles in any IFrame.
When you use this option, you’re able to open the Workspace or Shared Tile groups on a website which is hosted on the same domain as the Workspace instance is. This is NOT on TOP-LEVEL, but on the navigation within the domain, so for example:
The Workspace runs on https://workspace.workspace365.net then you’re NOT able to open the Workspace or Shared Tile groups on any site which runs under the workspace365.net domain, e.g. https://portal.workspace365.net. You're only able to open the Workspace or Shared Tile groups on e.g. https://workspace.workspace365.net/navigation/somefolder
When you use this option, you’re able to open the Workspace or Shared tile group on any specific site you set, so for example:
If you set the option to Allow-From (https://portal.office.com) you’re able to load the Workspace and the Shared Tile groups in an IFrame on portal.office.com