none
A common consent framework doesn’t show up in a task pane app in Excel Online. RRS feed

  • Question

  • Hi,

    I’m developing a task pane add-in that calls Microsoft Graph API.

    I have encountered unexpected error messages during operation on Excel Online.

    This problem doesn’t occur in Excel.exe.

    To make this add-in available in Excel Online, you need to create an application catalog in SharePoint in Office 365 and upload a manifest file.

    On Excel Online, when you click a button (labelled as “sign-in”) on the task pane add-in, a common consent framework should be displayed inside the task pane, where the add-in should be granted to access Microsoft Graph API. When successfully granted, this add-in can try to access Microsoft Graph API. 

    But the common consent framework doesn’t show up, and instead the following error messages are displayed in the task pane. 

    “This content cannot be displayed in a frame”
    “To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.

    As a result, the add-in cannot be granted. 

    I have submitted this add-in for review, and a reviewer reported that this problem happens in that reviewer’s Excel Online. On the other hand, in my environment, when I click the button on the task pane in Excel Online, the add-in calls the API successfully without displaying the common consent framework.

    For your information, in Excel.exe, when I click the button, the add-in displays the common consent framework, and the add-in calls the API after a successful authentication process.

    Does anyone know why the common consent framework doesn’t show up when the add-in is used in Excel Online?

    Thanks
    Cheetah


     
    Wednesday, March 2, 2016 8:10 AM

Answers

All replies

  • I had received an important feedback.

    According to feedback,

    Load denied by X-Frame-Options: https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=<CLIENT_ID>&resource=https://graph.microsoft.com&redirect_uri=<REDIRECT_URI>/Home.html does not permit framing. <unknown>

    Does this mean that I can resolve this problem by specifying an appropriate value to the X-Frame-Options response header for Home.html ?
    If so, how can I specify the X-Frame-Options for Home.html. My Add-in is hosting as App Service in Azure.

    https://login.microsoftonline.com is specified in <AppDomains> in manifest file.
    Do I need to specify the X-Frame-Options as well as <AppDomains>?

    Thanks

    Cheetah

    Wednesday, March 2, 2016 4:09 PM
  • Hi Cheetah,

    I don’t think it works fine if you specify X-Frame-Options. This is the security issue. We can’t put the Microsoft authentication site in a framework. If we can’t do that, then the sensitive message can be access in current application/website.

    For authentication, you need to use OAuth, there is an article that can help you:

    # Understanding authentication with Office 365 APIs

    https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks?f=255&MSPPError=-2147217396

    Regards

    Starain


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, March 3, 2016 7:23 AM
    Moderator