glpatcern
commented
1 year ago Yes, this was (implicitly) included in #76. The implementation is not that straightforward though, especially as we have moved the discovery part to reva, and therefore the keys would need to be passed from reva to wopiserver at each /openinapp call (which is suboptimal) or with some other mechanism.
I just stumbled across this feature of WOPI, which I didn't know before and thought it's worth to be shared:
https://learn.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/online/scenarios/proofkeys describes a way to verify that requests are coming from a web office application.
It is also at least supported by OnlyOffice https://api.onlyoffice.com/editors/wopi/proofkeys