Office 365 add-in: Content Security Policy issues

About

Asked 7/4, 2017 at 21:19 Answered 12/4, 2017 at 12:25

office-js office365-apps outlook-web-addins

Hi Office 365 Outlook team,

Our Office 365 add-in specifies the following Content Security Policy:

Content Security Policy directive: “frame-ancestors ‘self’ outlook.office365.com outlook.office.com”

This has been working well until recently when the Office store review team reported the error:

Refused to display ‘our url’ in a frame because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘self’ outlook.office365.com outlook.office.com”

As if their web based Outlook was not loaded from outlook.office365.com or outlook.office.com.

The store team did not provide any more details of their tests.

Can someone please tell us if we're missing other valid Office 365/Outlook urls in the CSP?

Thank you.

Blueness answered 7/4, 2017 at 21:19 Comment(2)

I don't have a complete list in front of me but you're missing the consumer outlook.com and live.com domains. Add-ins are supported there as well. – Headphone 10/4, 2017 at 14:44

Thank you. We'll update our CSP although our add-in will work only for Office 365 business accounts as our listing explains. – Blueness 10/4, 2017 at 16:12

Validation takes place on outlook.office.com using standard O365 accounts.

Poisson answered 12/4, 2017 at 12:25 Comment(4)

Very strange as this message is a browser (not something our app checks) "Refused to load 'app url' because it does not appear in the frame-ancestors directive of the Content Security Policy" and our CSP does list outlook.office.com in the frame-ancestors directive. – Blueness 14/4, 2017 at 0:16

Does all validation happen at outlook.office.com? or are there other domains? Are there other policies that might need to be updated? Whare those? – Ejectment 6/2, 2018 at 17:38

@JimHall Mail add-ins can run off any number of known domains (outlook.office.com, outlook.office365.com, outlook.live.com etc, or even custom domains if running OWA via Exchange etc.) – Poisson 6/2, 2018 at 19:31

Ok so I need a very permissive header like * – Ejectment 8/2, 2018 at 20:0

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags