search

OfficeDev / office-js

A repo and NPM package for Office.js, corresponding to a copy of what gets published to the official "evergreen" Office.js CDN, at https://appsforoffice.microsoft.com/lib/1/hosted/office.js.
https://learn.microsoft.com/javascript/api/overview
Other
667 stars 94 forks source link

MoreInfo.url causes failure of loading GRAPH-capable spam-addin manifest. #4540

Open glr0221 opened 3 months ago

glr0221 commented 3 months ago

Provide required information needed to triage your issue

Adding 'WebApplicationInfo' in the manifest, with MoreInfo.url defined, causes Outlook to fail in loading the manifest.

Your Environment

Expected behavior

Spam addin manifest, with GRAPH WebApplicationInfo defined, should load with no issues in Outlook.

Current behavior

Spam addin manifest, with GRAPH WebApplicationInfo defined, fails to load in Outlook.

Steps to reproduce

  1. Visit the contoso sample repository in : https://github.com/OfficeDev/Office-Add-in-samples/tree/main/Samples/outlook-spam-reporting

  2. Download the file manifest.xml.

  3. At the bottom of the manifest, add the WebApplicationInfo section underneath resources.

      </Resources>
  <WebApplicationInfo>  
    <Id>aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee</Id>
    <Resource>api://officedev.github.io/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee</Resource>
    <Scopes>  
      <Scope>profile</Scope>
      <Scope>openid</Scope>
    </Scopes>  
  </WebApplicationInfo> 
</VersionOverrides>

  4. Once the manifest is modified, sideload the xml file using MAC Outlook.

  5. MAC Outlook fails to load the manifest with the following error :

    Screenshot 2024-06-04 at 3 25 06 PM

  6. To fix this, open the manifest and remove the 'MoreInfo.url' line in the current manifest. This leaves behind WebViewRuntime and JSRuntime urls.

        <bt:Urls>
      <bt:Url id="WebViewRuntime.Url" DefaultValue="https://officedev.github.io/Office-Add-in-samples/Samples/outlook-spam-reporting/src/spamreporting.html"/>
      <bt:Url id="JSRuntime.Url" DefaultValue="https://officedev.github.io/Office-Add-in-samples/Samples/outlook-spam-reporting/src/spamreporting.js"/>
    </bt:Urls>

  7. Save the modified manifest.

  8. Load the manifest (without MoreInfo.url) using outlook and this succeeds.

Link to live example(s)

None

Provide additional details

None

Context

'MoreInfo' related manifest entries are causing some trouble. (https://github.com/OfficeDev/office-js/issues/4521) This is stopping us from creating GRAPH-enabled manifests for spam addins.

Useful logs

None

Thank you for taking the time to report an issue. Our triage team will respond to you in less than 72 hours. Normally, response time is <10 hours Monday through Friday. We do not triage on weekends.

akagarwa-msft commented 2 months ago

Thanks for reporting this issue regarding Integrated Spam feature. It has been put on our backlog. We unfortunately have no timelines to share at this point

Internal tracking id: Office: [4637020]

timwan10 commented 2 months ago

So I think this is kind of weird. But what is happening is the sample manifest has the url in the moreInfo category as:

https://learn.microsoft.com/...

This is ok...but when you add the WebApplicationInfo it puts more restrictions on what you are allowed to include in the URL section. (I can't find documentation for this, but checking to see if it's out there somewhere). I believe this is because the URL section is also used to load Web Taskpanes in Outlook, and they want to ensure that your graph calls are coming from URLs that are approved.

The URL for the MoreInfo section is only used to display in the dialog...but since it falls under the URLs section it is under the same restriction/security protocols.

What IS a problem is that the installer USED to give more informative error messages about the manifest. It should have said something like this:

image

So you can use the MoreInfo section with WebApplicationInfo, but you need to make sure the URL is still in the same domain.

glr0221 commented 2 months ago

@timwan10 thank you so much for your explanation. Unfortunately, I don't think that forcing the domain of moreinfo same as webapplicationinfo is acceptable for our use. On the other side of the fence, I am thinking of :

  1. Why not make MoreInfo.url and MoreInfo.label optional? (Right now a UI-bug happens when you remove MoreInfo.url and Moreinfo.label.)
  2. If we opt to use MoreInfo.url, can't we just register the domain in the appdomains list?

I highly recommend making Moreinfo optional. Having links in the dialog to click on can be confusing for some.

Thank you again.

akshayta23 commented 2 months ago

@glr0221 We are working on resolving this issue https://github.com/OfficeDev/office-js/issues/4521 so I believe that #1 should be resolved once the fix is released.

Regarding #2, we need to discuss this internally with the product team before we can make any changes to the design. We will get back to you once we have an update.

glr0221 commented 2 months ago

Thank you very much @akshayta23 .

timwan10 commented 2 months ago

@glr0221 Is #2 not already the case? (If you add the URL to AppDomains, you should be ok?) Or are you still seeing rejections?

glr0221 commented 2 months ago

Hello @timwan10 . I have tried adding the domain of the url in MoreInfo.url in the appdomains list. Outlook would still not install the manifest saying 'Sorry we can't complete this operation.'. However, as you have tried, if I set the Moreinfo.url with the same domain as the link in webapplicationinfo, then the manifest gets installed.

HugoLd commented 2 months ago

I don't need moreinfo but my ugly trick was to host a html file on the right domain with instant redirection to the desired external link, if it can help someone