Symptoms

When trying to configure the Content Control to show a URL for a SharePoint-hosted document (such as a PDF, Excel file, etc), a message is instead displayed, stating:

"Cannot display content in frame."

There is a link that is available to open the link to the document in a new browser window, which works successfully, but the SharePoint-hosted document never is displayed in the Content Control itself.
 

Diagnoses

This behavior is due to a SharePoint security measure. The reason is to prevent clickjacking. Microsoft has put measures in place to prevent clickjacking from occurring. These security measures specifically prevent SharePoint-hosted content from being displayed in a frame within a third-party application. The Content Control is an iFrame that hosts a specified URL, hence the message that is seen in this case.
 

Resolution

There are several workarounds to disable these security measures within the SharePoint farm itself in order to allow these SharePoint-hosted documents to display in third-party frames, such as disabling X-frame headers. A word of caution here, as tampering with these settings could potentially cause problems with K2 webparts installed within your SharePoint farm, as they also use frames for displaying content.