I am tempted to add a restrictive X-Frame-Options HTTP Response Header to the OWA and ECP web applications on my CAS servers, to prevent blind XSS exploits such as Click-jacking or framesniffing attacks.

At the same time, I have a SharePoint application with an OWA webpart (a shared calendar view), so I need to be able to include OWA resources from a domain like: "intranet.contoso.com"

If I set the HTTP Header to:

X-Frame-Options: Allow-From intranet.contoso.com

will I risk breaking anything in OWA? 

I clicked around OWA and ECP furiously while recording each request with the Developer Tools network tool, and found no record of resources loaded/navigated by iframe, but I would like to be sure.