Comments (12)
@JunielKatarn We use ASP.NET built-in CORS middleware which I'm pretty sure does an exact match on the inbound origin, and when you configure it the configuration will always strip the forward slash. In other words, the Origin
header containing a forward slash means it would never work without deep modifications or replacement.
All other Outlook clients, including older Win32 versions, have been correctly not including the forward slash in requests (presumably because the browser is responsible)
In RFC 6454 we have:
Return the triple (uri-scheme, uri-host, uri-port)
Two origins are "the same" if, and only if, they are identical.
from office-js.
Thanks for the thorough answer.
This will help us write the necessary tests to prevent regressions.
Regarding the fix, it's trivial one.
It should be available on the fast release channels early next week.
from office-js.
Starting investigation.
The message suggests mismatched values in the Access-Control-Allow-Origin
header.
See https://github.com/microsoft/react-native-windows/blob/cb71c1663dc2503a281444ca12be4f8fbf344b43/vnext/Shared/Networking/OriginPolicyHttpFilter.cpp#L471
from office-js.
For added context our add-in continues to work in the task pane of Win32, plus OWA. Our CORS configuration has not changed, and I can see from OWA that we do indeed return the correct headers for well-formed requests:
I've wanted to debug a request from Win32 Outlook but cannot get any requests being made by event-based activation to flow through Fiddler locally to capture. Perhaps there is some documentation for proxying this traffic for inspection?
from office-js.
Further still, I think it's possible that there is a subtle difference in the Origin that is being sent by event-based activation, in that I think it may now contain an extra forward slash:
https://outlook.signature365.com
vs
https://outlook.signature365.com/
Our check on the origin value is strict, which I believe is therefore causing this issue. It appears the change in Outlook may be the additional slash when sending Origin
header
from office-js.
Based on the definition at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin I think the additional forward slash is not correct, given the definition of:
Origin: null
Origin: <scheme>://<hostname>
Origin: <scheme>://<hostname>:<port>
from office-js.
@barclayadam I will verify whether the trailing slash should be ignored in the origin comparison or not, according to the Origin Policy spec.
Can you please elaborate on the steps to reproduce?
I installed the add-in via its XML manifest but don't understand how to make the actual requests as described in the steps.
from office-js.
Our add-in when installed will attempt to make a call to our id.signature365.com
domain whenever you create a new email, or if you opened the task pane.
I have worked around the problem on the server-side now though, so the issue should no longer be present using our add-in.
from office-js.
@barclayadam can you elaborate on the workaround you implemented?
The specific error message happens specifically when the allowed origin value is not set:
if (allowedOrigin.empty() || !IsSameOrigin(origin, Uri{allowedOrigin})) {
hstring errorMessage;
if (allowedOrigin.empty())
errorMessage = L"No valid origin in response";
from office-js.
@barclayadam
Can you please confirm the following about the bug behavior?
- Event-based activation sends an
Origin
header with a trailing slash (i.e.https://outlook.signature365.com/
). - Your server endpoint rejects this request header and does not provide the
Access-Control-Allow-Origin
response header. - The Outlook client does not find the allow origin header in the response and fails.
from office-js.
On our server we used to set an allowed origin as https://outlook.signature365.com
, which did not work for these Outlook versions because it was not an exact match against the header being sent, which was https://outlook.signature365.com/
(note the final forward slash).
Therefore we had to add an additional origin of https://outlook.signature365.com/
to make this work.
We were lucky because this specific part was not handled by the built-in .NET CORS middleware (https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-8.0) but instead one from IdentityServer4
. If we were to have been using the built-in CORS middleware this workaround would not have worked from my understanding, because if I was to configure it to allow https://outlook.signature365.com/
it would still only match against https://outlook.signature365.com
.
Your flow is correct in your last comment. Trailing slash is present in the Origin
header, that is not an allowed endpoint and therefore no response header, which leads to Outlook rejecting the response.
For reference a couple of snippets below are from the built-in .NET CORS middleware that shows it will not handle forward slashes by default:
When adding an allowed origin:
var normalizedOrigin = GetNormalizedOrigin(origin);
_policy.Origins.Add(normalizedOrigin);
The normalised URI is used, which will not include the path (extra forward slash):
return builder.Uri.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped);
When checking an exact match against origin
is used:
return Origins.Contains(origin, StringComparer.Ordinal);
from office-js.
Fixed and deployed to Office starting version 16.0.17505.15020
.
from office-js.
Related Issues (20)
- Unable to publish manifest file - support URL is not accessible HOT 10
- I have developed an outlook add-in. It is working fine in web version. But not working in desktop outlook app. HOT 17
- Excel add-in not updating for some clients HOT 7
- getUserIdentityTokenAsync returning failed "An internal server error" HOT 11
- insertFileFromBase64 causes accumulation of styles HOT 2
- Failed to install or load custom functions addin On microsoft 365 Web Production HOT 5
- Excel Add-in online - function wizard function arguments broken HOT 4
- Office.context.document.getFileAsync return corrupted file
- Excel Taskpane Add-in Iframe Unable to load blob URLs HOT 2
- Support drag and drop on OfficeJS addins Outlook HOT 10
- After publishing a new version on the partner center, user's Excel application crashes when attempting to update the add in HOT 7
- Office.context.mailbox.item.internetMessageId is empty HOT 13
- Refresh the docProperty field in Ms Word onlline document HOT 2
- How to upload powerpoint office addin manifest.xml in the Admin Center? HOT 2
- MS Powerpoint Addin : Insert Slide from Base 64 Powerpoint addin API does not carry over the original formatting of the slide #2780 HOT 3
- Outlook Add-in will not open in new Outlook for Windows HOT 1
- Office 365 on the web Excel Add-in does not function correctly HOT 8
- Office.context.mailbox.displayNewMessageFormAsync not adding attachment in read mode HOT 3
- Not able to control New Outlook updates. HOT 1
- Not able to disable/reset suggested contacts. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from office-js.