Add-Ins and CSPP WOPI Changes

27th January 2023 / Nick McKenna
Side view of a person typing on a laptop.

In December 2022, many WOPI implementors around the world who were also using Microsoft Add-Ins in their WOPI implementation suddenly started experiencing errors, and their Add-Ins would not load. Over the course of a couple of weeks, it transpired that a security update had occurred at Microsoft that had altered how some Add-In / WOPI implementations worked.

Microsoft did not announce or explain the changes, and as such we have only been able to infer from behaviour what the changes were.

How Should I Modify My Add-In Implementation?

JSON Objects

The main issue users have encountered is that JSON objects are now no longer supported for the “Host_IsFrameTrusted” Post Message. The content of this message specifically MUST now be a string. Previously both JSON objects and strings were accepted.

So, if your post message code previously looked like this:

           // Post back Host_IsFrameTrusted
                    var msg = {
                        "MessageId": "Host_IsFrameTrusted",
                        "SendTime": Date.now(),
                        "Values": {
                            "isTopFrameTrusted": true // Hack: accept anything - should really check that window.location is valid
                        }
                    };

                    // INCORRECT NOW!!!
                    e.source.postMessage(msg, e.origin);

It must now look like this:

// Post back Host_IsFrameTrusted
                    var msg = {
                        "MessageId": "Host_IsFrameTrusted",
                        "SendTime": Date.now(),
                        "Values": {
                            "isTopFrameTrusted": true // Hack: accept anything - should really check that window.location is valid
                        }
                    };

                    // CORRECT!!!
                    e.source.postMessage(JSON.stringify(msg), e.origin);
                   

PostMessageOrigin

It also transpired that the Microsoft side of WOPI was not validating the “PostMessageOrigin” portion of the CheckFileInfo response in relation to Post messages. Microsoft are now validating this. This also broke some implementations that did not have their PostMessageOrigin quite right!

The PostMessageOrigin must match FQDN and scheme in the URL in the address bar of the web page. For example, a document being edited at:

https://mygreatapp.mydomain.com/editor/wopi?myfileid=12345678

should have a PostMessageOrigin of:

https://mygreatapp.mydomain.com

targetOrigin

Finally, the general WOPI instructions for Post Message say that the targetOrigin should match your PostMessageOrigin property in your CheckFileInfo. This is incorrect for Host_IsFrameTrusted. Your targetOrigin should be e.origin where “e” is the App_IsFrameTrusted event that you are replying to.

Documentation Errors

The new Add-In instructions issued by Microsoft (which are only available to CSPP members via the Yammer group) contain a small, but important error.

In one place, they indicate that the format for host_install_addins (on your hostpage) is:

{

{addinId: "WA123456781", type: “TaskPaneApp”}

}

This is incorrect! The correct [square bracket] format is:

[

{addinId: "WA123456781", type: “TaskPaneApp”}

]

The instructions also incorrectly indicate that you can put a space in your Add-In id like this:

[{"addinId":"WA 104380121 ","type":"TaskPaneApp"}]

This should read:

[{"addinId":"WA104380121 ","type":"TaskPaneApp"}

If your WOPI integration has been affected by these changes at Microsoft and you would like any further assistance, please do not hesitate to contact us at McKenna Consultants. For WOPI API troubleshooting tips and other advice, take a look at our blog.

Nick McKenna
Since 2004, Nick McKenna, BSc, MBCS Biography has been the CEO of McKenna Consultants. McKenna Consultants is a bespoke software development based in North Yorkshire, specialising in Cloud development, mobile App development, progressive web App development, systems integration and the Internet of Things development. Nick also holds a First Class Degree in Computer Science (BSc) and wrote his first computer program at the age of nine, on a BBC Micro Model B computer. For the last 21 years, Nick has been a professional computer programmer and software architecture. Nick’s technical expertise includes; Net Core, C#, Microsoft Azure, Asp.Net, RESTful web services, eProcurement, Swift, iOS mobile development, Java, Android mobile development, C++, Internet Of Things and more. In addition, Nick is experienced in Agile coaching, training and consultancy, applying modern Agile management techniques to marketing and running McKenna Consultants, as well as the development of software for clients. Nick is a Certified Enterprise Coach (Scrum Alliance), SAFe Program Consultant (SAI), Certified LeSS Practitioner (LeSS) and Certified Scrum@Scale Practitioner. Outside the office, Nick is a professional scuba diver and he holds the rank of Black Belt 5th Dan in Karate.

Posted in: , Tags: ,