Reputation: 41
outlook.office.com vs outlook.office365.com
We have configured our server to serve an Outlook Add-in using
X-Frame-Options "ALLOW-FROM https://outlook.office.com"
Our app was rejected by Office Store because it's being tested on outlook.office365.com. We don't see a way to allow multiple domains (i.e. outlook.office.com and outlook.office365.com)
Could you please help us here?
PS: When will we completely migrate to one of these ?
Upvotes: 2
Views: 6440
Answers (1)
Reputation: 33124
The X-Frame-Options header can only support a single domain for ALLOW-FROM.
As for Outlook Web Add-ins specifically, it isn't safe to assume outlook.office.com as the host domain. The origin could be any number of known domains (outlook.office.com, outlook.office365.com, outlook.live.com, etc.) or even a custom domain (OWA with an on-prem Exchange Server for example).
It is also worth noting that X-Frame-Options isn't fully supported across browsers. Generally, unless you're looking to blanked DENY rendering in a frame X-Frame-Options isn't very robust. And given that Office Web Add-ins by definition run within an IFRAME within a browser, it is likely going to cause far more problems than it solves.
Upvotes: 0
Related Questions
- What is the difference between outlook.office365 and outlook.office
- what's the different about: Office.context.auth.getAccessTokenAsync vs OfficeRuntime.auth.getAccessToken
- Relationship between Outlook JS API and Outlook REST API
- Do I need an Office 365 to install Add-ins
- OfficeJS Outlook Add-in Does Not Install
- The enduring saga of when to use EWS vs the Rest API in an Outlook Add-in
- How to tell when to use EWS vs rest API in Outlook Add-in
- Outlook web add-in deployment options. Exchange Admin Center vs Office store, Which one to pick?
- Outlook Mail add-in API works differently in the web and Outlook client
- Is it possible to develop for Office 365 (confusion due to new-to-365)