search

OneDrive / onedrive-api-docs

Official documentation for the OneDrive API
MIT License
450 stars 227 forks source link

File Picker v8 in iframe - Content Security Policy sporadic issue #1681

Open idan-weiss opened 1 year ago

idan-weiss commented 1 year ago

Category

Expected or Desired Behavior

Not have CSP and X-Frame-Options headers in the response

Observed Behavior

Hi! I'm working with the File Picker v8 in an iframe, and sometimes when initiating the picker by making a request to https://<TENANT_NAME>-my.sharepoint.com/_layouts/15/FilePicker.aspx the server returns the CSP and the X-Frame-Options headers, which result in the error Refused to frame 'https://<TENANT_NAME>-my.sharepoint.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com".

After reading this issue - https://github.com/OneDrive/onedrive-api-docs/issues/1621 , I made sure that my audience in the token is indeed correct, and in fact, sometimes I can get valid response (with no CSP header) and sometimes I get an invalid response (with the CSP header) using the very same access token.

Not sure what to do on this one

Steps to Reproduce

I don't have a way to always reproduce it. It just sometimes happens to me. If you try to load the file picker in an iframe enoough times it should be reproduced.

Thank you.

ghost commented 1 year ago

Thank you for your contribution to OneDrive API Docs. We will be triaging your incoming issue as soon as possible.

JesseMom123 commented 1 year ago

We experience the exact same issue. Feels like somekind of race condition

jameshu0 commented 1 year ago

Using Incognito mode in Chrome will result in errors

Uncaught (in promise) DOMException: Failed to read the 'localStorage' property from 'Window': Access is denied for this document.

t.odsp-common.js

code: "SecurityError" message: "Failed to read the 'localStorage' property from 'Window': Access is denied for this document." notification: "page-loaded"

JeffBarney commented 1 year ago

We're also experiencing this same problem

idan-weiss commented 1 year ago

Hi, anything new?

rahulparmar339 commented 10 months ago

We're also experiencing this same problem

ScottRJones commented 7 months ago

We are also experiencing this. Is there any solution?

adevine commented 1 month ago

@idan-weiss (or anyone else in this thread actually): You said "After reading this issue - https://github.com/OneDrive/onedrive-api-docs/issues/1621 , I made sure that my audience in the token is indeed correct".

Did you have to do anything when retrieving the token (e.g. in the call to msal's acquireTokenSilent or loginPopup) to set the audience value? I'm unclear how this is set. Right now if I inspect the JWT access token the payload.aud value is a UUID with a whole bunch of zeros, so I'm assuming that's my problem, I just am unclear how to fix it.