Trusted way to get the host origin of an Office add-in

Question

I\'m currently implementing an Outlook Add-in. It shows the user a pop-up window whenever the user is about to complete a potentially dangerous action, to protect against clickj

Answer 1

I'm interested in knowing more about the vector of attack that you are describing here. Is it someone creating https://evilspoof/ and hosting your web app inside an iframe there. Then getting an end user to go to https://evilspoof/ and click on some things inside your add-in?

Are you authenticating your users in some way? And worried that if they log into your website legitimately...then when they go to the malicious site, they are already signed in, and thus clicks/actions on your page will work since they are already authenticated?

You may want to look at: https://dev.outlook.com/reference/add-ins/Office.context.mailbox.html#getUserIdentityTokenAsync

And associate the token when you log into the site. This call will go to the Exchange Server and give you back an identity token, that you can associate with the login. If the user logs in through OWA/Outlook, you can associate the token. When they go to the malicious site, they can spoof getUserIdentityToken, but the token returned will be different. And the user will be forced to re-enter their credentials. If the user re-enters credentials at that point, then you could be hosed. Or if the user only ever used the malicious spoofed site (and never the real one), then you would have problems...but if the user is entering their login into a spoofed site...doesn't the attacker have their login information anyway?