none
What are the precise restrictions for the iframe and the browser in 'apps for office' ? RRS feed

  • Question

  • Hi everyone, the apps for office  run in a sandboxed environment, that is documented here and here.

    For the  'online' case, the iframe case, there is no precise description of what is allowed for the  iframe sandbox attributes. Using dev tools in outlook web app, I saw that the iframe's app got the following attributes: sandbox="allow-scripts allow-forms allow-same-origin ms-allow-popups allow-popups". Does Microsoft guarantees that this will always be the environment for the iframe?

    Now for the desktop client case, I am also missing information about what is granted and what's not for the browser. What are precisely those "security and performance isolation" mentioned in the second link? For example, I am struggling with session storage in the case of the desktop client that is not working and I am not sure whether its related to security restrictions. We have to know more on what is granted or not. This is a crucial matter to build reliable business apps.

    Thank you





    Tuesday, May 26, 2015 10:43 AM

All replies

  • Hi Benoit P,

    >>What are precisely those "security and performance isolation" mentioned in the second link?<<

    It was described in the first link like below:

    • An app for Office runs in a web browser control that is hosted in an app runtime environment separate from the Office host application. This design provides both security and performance isolation from the host application.

    • Running in a web browser control allows the app to do almost anything a regular web page running in a browser can do but, at the same time, restricts the app to observe the same-origin policy for domain isolation and security zones.

    >>For example, I am struggling with session storage in the case of the desktop client that is not working and I am not sure whether its related to security restrictions. <<

    Would you mind sharing the sample code that how you were handling the session storage?

    Regards & Fei


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, May 27, 2015 2:33 AM
    Moderator
  • Hi Fei,

    Let me precise my concerns. Actually, what I am trying to do is implement a full client OAUTH2.0 in apps for office. I managed to implement one with my previous app Keluro Web Analytics.

    Now I was trying to do the same with ADAL.js (windows azure active directory js client lib). See my bug report here or my discussion in the Yammer network.

    I also found a solution following the same recipe as Keluro Web Analytics. However, I do not know whether it is a proper and long-lasting implementation.

    The basic idea is to do the OAUTH flow in a popup that will not be restricted with same origin policy. The trick is to give for redirect uri a page with some javascript that will register the hash containing token ids. Then the parent iFrame is polling the popup to see if the flow has complete. If so, close the popup and retrieve the hash. See my implementation in my fork of ADAL.js, remote branch sandboxed-iframe, this commit. Maybe it is quite difficult to get and I think I will write a blog post to explain precisely the trick. I really have to know if its a good solution.

    The implicit client OAUTH2.0 flow is a 'must have' for app for office as long as apps model aims at building connected services. Not also that calling XHR in the same domain is not always an acceptable solution (I do not want to take my user's google or office 365 credentials !).

    Let us forget for a while my problem with localstorage. The problem is this one (it happens only with desktop client tought).

    Thank you very much.

    Benoit

    Wednesday, May 27, 2015 10:24 AM
  • Hi,

    >> What are precisely those "security and performance isolation" mentioned in the second link?

    As shown in figure 1, on a Windows or Windows RT desktop or tablet device, the app webpage is hosted inside an Internet Explorer control which, in turn, is hosted inside an app runtime process that provides security and performance isolation (the App is running in a Low-Integrity level).

    Figure1


    Regards,

    Jeffrey


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Thursday, May 28, 2015 6:47 AM
    Moderator