Share via

Exchange SE RTM Dec25SU – DownloadDomains OWA attachment preview blocked by X-Frame-Options

Iván Zoltán 20 Reputation points
2026-03-25T10:41:11.2233333+00:00

Hello,

I configured DownloadDomains on Exchange Server SE RTM Dec25SU (build 15.02.2562.035) following Microsoft's official documentation. Everything appears correct but OWA attachment preview is not working.

Configuration (all verified):

  • DNS: downloadmail.contoso.com → CNAME → mail.contoso.com 
  • Certificate: Wildcard *.contoso.com 
  • InternalDownloadHostName and ExternalDownloadHostName: both set to downloadmail.contoso.com 
  • EnableDownloadDomains: True 
  • https://downloadmail.contoso.com/owa loads correctly 

Problem:

OWA attachment preview fails. Browser console (F12) shows:

Refused to display 'https://downloadmail.contoso.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

 

Is this a known issue with Exchange SE RTM and DownloadDomains? Is there a supported fix or workaround?

Thank you!

Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

0 comments
Answer accepted by question author
  1. Q&A Assist
    2026-03-25T10:41:31.11+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Exchange Download Domains are supported and required for mitigating CVE-2021-1730, but there is no information in the provided context that identifies an X-Frame-Options=SameOrigin issue with Exchange Server Subscription Edition RTM as a known bug, nor any supported method to change that header.

    The context does document two relevant Download Domain–related issues and their resolutions:

    1. ADFS/MFA + Download Domains (inline images not visible)
      • When ADFS is used for MFA in OWA and Download Domains are configured per CVE-2021-1730, users may no longer see inline images.
      • The supported fix is to install:
        • Cumulative Update 12 or later for Exchange Server 2019, or
        • Cumulative Update 23 or later for Exchange Server 2016.
      • This restores proper behavior with Download Domains and ADFS.
    2. Download Domains broken after March 2024 Security Update
      • After the March 2024 Exchange Security Update, Download Domains may stop working in some Outlook/OWA scenarios: inline images disappear and attachments cannot be downloaded in OWA.
      • The supported fix is to install the hotfix update KB5037224 (April 23, 2024) for Exchange Server 2019 and 2016.

    From the available information, the only supported remediation paths for Download Domain issues are:

    • Ensure the server is on a supported cumulative update level (for 2016/2019, at least CU23/CU12 respectively when using ADFS with Download Domains).
    • If the March 2024 SU is installed and Download Domains stop working, install the KB5037224 hotfix.
    • If Download Domains must be disabled organization-wide, use: 
        Set-OrganizationConfig -EnableDownloadDomains $false

    There is no supported guidance in the context for modifying X-Frame-Options behavior or for a specific Exchange SE RTM bug matching the described X-Frame-Options=SameOrigin frame-blocking symptom. The only documented and supported workarounds are to:

    • Update to the latest applicable cumulative update and hotfix for the Exchange version in use, and
    • As a last resort, disable Download Domains entirely if the feature is blocking required functionality.

    References:

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.