2

Hi Office 365 Outlook team,

Our Office 365 add-in specifies the following Content Security Policy:

Content Security Policy directive: “frame-ancestors ‘self’ outlook.office365.com outlook.office.com”

This has been working well until recently when the Office store review team reported the error:

Refused to display ‘our url’ in a frame because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘self’ outlook.office365.com outlook.office.com”

As if their web based Outlook was not loaded from outlook.office365.com or outlook.office.com.

The store team did not provide any more details of their tests.

Can someone please tell us if we're missing other valid Office 365/Outlook urls in the CSP?

Thank you.

Alexey
  • 556
  • 1
  • 5
  • 18
  • I don't have a complete list in front of me but you're missing the consumer `outlook.com` and `live.com` domains. Add-ins are supported there as well. – Marc LaFleur Apr 10 '17 at 14:44
  • Thank you. We'll update our CSP although our add-in will work only for Office 365 business accounts as our listing explains. – Alexey Apr 10 '17 at 16:12

1 Answers1

0

Validation takes place on outlook.office.com using standard O365 accounts.

Office Store Developer Comms
  • 1,102
  • 6
  • 15
  • 1
    Very strange as this message is a browser (not something our app checks) "Refused to load 'app url' because it does not appear in the frame-ancestors directive of the Content Security Policy" and our CSP does list outlook.office.com in the frame-ancestors directive. – Alexey Apr 14 '17 at 00:16
  • Does *all* validation happen at `outlook.office.com`? or are there other domains? Are there other policies that might need to be updated? Whare those? – Jim Hall Feb 06 '18 at 17:38
  • 1
    @JimHall Mail add-ins can run off any number of known domains (outlook.office.com, outlook.office365.com, outlook.live.com **etc**, or even custom domains if running OWA via Exchange etc.) – Office Store Developer Comms Feb 06 '18 at 19:31
  • Ok so I need a very permissive header like `*` – Jim Hall Feb 08 '18 at 20:00