search

OfficeDev / office-js

A repo and NPM package for Office.js, corresponding to a copy of what gets published to the official "evergreen" Office.js CDN, at https://appsforoffice.microsoft.com/lib/1/hosted/office.js.
https://learn.microsoft.com/javascript/api/overview
Other
641 stars 92 forks source link

displayDialogAsync - host page receives error:12006 as soon as popup navigates to subdomain #4376

Open cattermo opened 1 month ago

cattermo commented 1 month ago

When using displayDialogAsync in office on the web, the host page receives error:12006 as soon as the popup navigates to a different domain.

Your Environment

Expected behavior

Following this guide https://learn.microsoft.com/en-us/office/dev/add-ins/develop/dialog-api-in-office-add-ins it should be possible to open a popup window, from the host page by using displayDialogAsync, with the same domain, navigate to a different subdomain or domain, and then after coming back to the same domain, send a message to the host page.

Current behavior

As soon as the popup window leaves the same domain and navigates to a different domain my host page gets a dialog event with {error: 12006} as if the user closed the popup window. After this happens there is no more communication from the popup window to the host page.

Steps to reproduce

I have created a minimal Add-in that reproduces the problem here https://github.com/cattermo/officejs-reproduce-dialog-problem

Link to live example(s)

If one does not bother to run anything locally, one can install the test version of our real app where I have added some things to really showcase the problem. Use this manifest: https://testbed-office-addin.scrive.com/public/manifest-testbed.xml No account is needed since the bug happens before the user gets a chance to login.

Context

I think this is a very common use case, to open a popup to do authentication flow (since most login pages does not allow iframing). I have no idea how to achieve this in a good way if the popup cannot tell the host page when authentication is done.

shanshanzheng-dev commented 1 month ago

@m-hellesen Could you help take a look this issue? Thanks.

m-hellesen commented 4 weeks ago

Thanks so much for the detailed information and for giving us a sample add in. Questions for you while I look into it, has this worked for you in the past? Have you taken a look at this portion of the docs about cross domain messaging? https://learn.microsoft.com/en-us/office/dev/add-ins/develop/dialog-api-in-office-add-ins#cross-domain-messaging-to-the-dialog-runtime

cattermo commented 3 weeks ago

Thanks so much for the detailed information and for giving us a sample add in. Questions for you while I look into it, has this worked for you in the past? Have you taken a look at this portion of the docs about cross domain messaging? https://learn.microsoft.com/en-us/office/dev/add-ins/develop/dialog-api-in-office-add-ins#cross-domain-messaging-to-the-dialog-runtime

Hi! Thank you for looking into this. I did a small rebuild of our Add-In in December last year, moving from iframe popup to popup window. Then this workflow was working (open popup window with own domain -> redirect to other domain -> redirect back to same domain -> pass message to host page). I had to turn off some security headers to make it work (crossOriginOpenerPolicy and crossOriginResourcePolicy) but then it worked.

I'm not trying to message cross domain, I want to send the message after going back to same the same domain as the host page.

jim22k commented 3 weeks ago

@cattermo I have run into similar issues with Office Online. After redirecting and coming back to the same origin, it can't communicate with the add-in. I suspect it's due to losing the original window.opener reference -- not sure.

I found a solution which involves never redirecting the dialog window. Instead, you pop open a second window and do the redirect flow there. You communicate with the original dialog window via BroadcastChannel.

https://github.com/jim22k/OfficeOnlineDialog/tree/main

cattermo commented 3 weeks ago

@cattermo I have run into similar issues with Office Online. After redirecting and coming back to the same origin, it can't communicate with the add-in. I suspect it's due to losing the original window.opener reference -- not sure.

I found a solution which involves never redirecting the dialog window. Instead, you pop open a second window and do the redirect flow there. You communicate with the original dialog window via BroadcastChannel.

https://github.com/jim22k/OfficeOnlineDialog/tree/main

This sounds like a good workaround if the office-js team does not manage to solve the problem. Since it's possible to do this with a new popup window, office-js should be able to do it with its popup window...

@m-hellesen Are you still looking into the issue? Any progress?

cattermo commented 2 weeks ago

Please? Can someone have a look at this?

m-hellesen commented 2 weeks ago

Hey, I do have someone looking into this. Did the workaround unblock you for now?

cattermo commented 2 weeks ago

Hey, I do have someone looking into this. Did the workaround unblock you for now?

Ok, great, thank you 🙇 . Since it used to work late last year I would rather not build a different solution that then have to be removed when the real one starts working again 😬

yjz2021 commented 1 week ago

Hey @cattermo, I have been looking into the issue and it seems that the domain policy needs to be changed. Could you please verify if it works when the Cross-Origin-Opener-Policy header is not set to 'same-origin'. Let me know if this solves the issue. Thanks.

cattermo commented 6 days ago

Hey @cattermo, I have been looking into the issue and it seems that the domain policy needs to be changed. Could you please verify if it works when the Cross-Origin-Opener-Policy header is not set to 'same-origin'. Let me know if this solves the issue. Thanks.

Sorry for late response, was bank holiday in Sweden. Sadly setting "Cross-Origin-Opener-Policy": "unsafe-none" does not make any difference.