A reliable way to get the origin of an Office add-in

Question

A reliable way to get the origin of an Office add-in

I am currently implementing an Outlook add-in. It shows the user a pop-up window whenever the user is about to perform a potentially dangerous action, to protect against clickjacking attacks .

I was hoping not to show the user a popup every time they use the add-in - only the first time they use it from a new host source. Is there a way to get the proven origin of the Office add-in host, so I can remember that the user trusts him next time?

Now I am listening postMessagefrom the host (e.g. https://outlook.office.com ) in the Office.js SDK and looking originat MessageEvents, but it seems very fragile.

+1

office-js outlook-web-addins

Daniel Phan Apr 27 '17 at 20:32

source share

2 answers

. , , .

0

Marc LaFleur 27 . '17 20:48

Outlook Add-ins Team - MSFT · Answer 1 · 2017-04-28T21:43:28+0000

I am interested in learning more about the attack vector that you describe here. This is someone creating https: // evilspoof / and placing your web application inside an iframe. Then, so that the end user goes to https: // evilspoof / and clicks some things inside your add-in?

Do you authenticate your users somehow? And they were worried that if they log into your site legally ... then when they go to the malicious site, they are already logged in, and thus the clicks / actions on your page will work, since they have already been authenticated?

: https://dev.outlook.com/reference/add-ins/Office.context.mailbox.html#getUserIdentityTokenAsync

. Exchange Server , . OWA/Outlook, . , getUserIdentityToken, . . , . , - ( ), ... ... ?

A reliable way to get the origin of an Office add-in

More articles: