Office Script Fetch HTTP without HTTPS

Question

I've been trying to use office API to fetch some data on office VPN. The fetch method is GET over HTTP protocol in the VPN. It fails. After some debugging, I've come to a question:

• is office script's fetch allowed to fetch HTTP protocol?

We don't have HTTPS and SSL as it is VPN so there is no encription needed. The only encryption that exists is between this office and the cloud via VPN client. My suspicion is that Microsoft feels this as unsafe and reject all HTTP protocol without SSL. Is this true?

What I've tried:

async function main(workbook: ExcelScript.Workbook) {
    // Office Script fetch

    // this is the official test url
    const url0 = 'https://jsonplaceholder.typicode.com/todos/1'

    // this is the FAIL fetch test (is it because HTTP?)
    const urlFAIL = 'http://<localip>/api/collections/public/records';

    // localhost works
    const urlLocalhost = 'http://127.0.0.1/api/collections/public/records'

    // this is SUCCESSFUL with the same API software! but this one is over internet with HTTPS
    const urlSUCCESS = 'https://<someDNS>/api/collections/public/records';
    console.log(url)

    let fetchResult = await fetch(url0);

    let json: object = await fetchResult.json();

    console.log(JSON.stringify(json));
}

another thing is that I also tested in browser's fetch to the local IP: Everything works! even in HTTP. Somehow the HTTP does not work in office fetch.

Answer 1

This is actually not an Office Scripts specific problem, but rather a browser security restriction.

You are seeing this issue because Excel for the web is running over HTTPS, which is treated as a secured context/origin. When Office Scripts is running inside Excel for the web, inheritably it is also expected to only access (fetch) network resources from a secured context/origin - HTTPS. Therefore, any access to unsecured origin (HTTP) will be blocked. I believe this is the default security setting for most modern browsers (Chrome, Edge, etc.).

However, if you trust the network resources you are trying to access, you can probably try bypassing this browser security setting:

• For Microsoft Edge: please refer to this article: https://learn.microsoft.com/en-us/answers/questions/621757/how-to-get-rid-of-not-secure-mark-in-edge-browser. I was able to fetch HTTP resources from my script after following the steps in Option 2, where you can explicitly put your site in the allow list.

• For Chrome: please refer to this StackOverflow post: How to get Chrome to allow mixed content?. I'm not sure if there is a way to explicitly allow-list your sites, though.