Office 365 add-in: Content Security Policy issues

Question

Hi Office 365 Outlook team,

Our Office 365 add-in specifies the following Content Security Policy:

Content Security Policy directive: “frame-ancestors ‘self’ outlook.office365.com outlook.office.com”

This has been working well until recently when the Office store review team reported the error:

Refused to display ‘our url’ in a frame because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘self’ outlook.office365.com outlook.office.com”

As if their web based Outlook was not loaded from outlook.office365.com or outlook.office.com.

The store team did not provide any more details of their tests.

Can someone please tell us if we're missing other valid Office 365/Outlook urls in the CSP?

Thank you.

I don't have a complete list in front of me but you're missing the consumer outlook.com and live.com domains. Add-ins are supported there as well. — Marc LaFleur
Thank you. We'll update our CSP although our add-in will work only for Office 365 business accounts as our listing explains. — Alexey

Office Store Developer Comms Office Store Developer Comms · Accepted Answer · 2017-04-12T12:25:44

0

votes

Validation takes place on outlook.office.com using standard O365 accounts.

Office 365 add-in: Content Security Policy issues

1 Answers