Add-Ins and CSPP WOPI Changes
In December 2022, many WOPI implementors around the world who were also using Microsoft Add-Ins in their WOPI implementation suddenly started experiencing errors, and their Add-Ins would not load. Over the course of a couple of weeks, it transpired that a security update had occurred at Microsoft that had altered how some Add-In / WOPI implementations worked.
Microsoft did not announce or explain the changes, and as such we have only been able to infer from behaviour what the changes were.
How Should I Modify My Add-In Implementation?
JSON Objects
The main issue users have encountered is that JSON objects are now no longer supported for the “Host_IsFrameTrusted” Post Message. The content of this message specifically MUST now be a string. Previously both JSON objects and strings were accepted.
So, if your post message code previously looked like this:
// Post back Host_IsFrameTrusted
var msg = {
"MessageId": "Host_IsFrameTrusted",
"SendTime": Date.now(),
"Values": {
"isTopFrameTrusted": true // Hack: accept anything - should really check that window.location is valid
}
};
// INCORRECT NOW!!!
e.source.postMessage(msg, e.origin);
It must now look like this:
// Post back Host_IsFrameTrusted
var msg = {
"MessageId": "Host_IsFrameTrusted",
"SendTime": Date.now(),
"Values": {
"isTopFrameTrusted": true // Hack: accept anything - should really check that window.location is valid
}
};
// CORRECT!!!
e.source.postMessage(JSON.stringify(msg), e.origin);
PostMessageOrigin
It also transpired that the Microsoft side of WOPI was not validating the “PostMessageOrigin” portion of the CheckFileInfo response in relation to Post messages. Microsoft are now validating this. This also broke some implementations that did not have their PostMessageOrigin quite right!
The PostMessageOrigin must match FQDN and scheme in the URL in the address bar of the web page. For example, a document being edited at:
https://mygreatapp.mydomain.com/editor/wopi?myfileid=12345678
should have a PostMessageOrigin of:
https://mygreatapp.mydomain.com
targetOrigin
Finally, the general WOPI instructions for Post Message say that the targetOrigin should match your PostMessageOrigin property in your CheckFileInfo. This is incorrect for Host_IsFrameTrusted. Your targetOrigin should be e.origin where “e” is the App_IsFrameTrusted event that you are replying to.
Documentation Errors
The new Add-In instructions issued by Microsoft (which are only available to CSPP members via the Yammer group) contain a small, but important error.
In one place, they indicate that the format for host_install_addins (on your hostpage) is:
{
{addinId: "WA123456781", type: “TaskPaneApp”}
}
This is incorrect! The correct [square bracket] format is:
[
{addinId: "WA123456781", type: “TaskPaneApp”}
]
The instructions also incorrectly indicate that you can put a space in your Add-In id like this:
[{"addinId":"WA 104380121 ","type":"TaskPaneApp"}]
This should read:
[{"addinId":"WA104380121 ","type":"TaskPaneApp"}
If your WOPI integration has been affected by these changes at Microsoft and you would like any further assistance, please do not hesitate to contact us at McKenna Consultants. For WOPI API troubleshooting tips and other advice, take a look at our blog.
Posted in: News, Office 365 Integration, Add-In Development and Wopi Tags: cspp, wopi