Trusted way to get the host origin of an Office add-in

纵饮孤独 提交于 2019-12-09 03:45:05

问题


I'm currently implementing an Outlook Add-in. It shows the user a pop-up window whenever the user is about to complete a potentially dangerous action, to protect against clickjacking attacks.

I was hoping not to have to show the user the pop-up window every time they use the add-in -- only the first time they use it from a new host origin. Is there a way to get the verified host origin of an Office add-in, so I can remember that the user trusts it for next time?

Right now I'm listening for the postMessages from the host (e.g. https://outlook.office.com) to the Office.js SDK and looking at the origin on the MessageEvents, but seems very fragile.


回答1:


I'm interested in knowing more about the vector of attack that you are describing here. Is it someone creating https://evilspoof/ and hosting your web app inside an iframe there. Then getting an end user to go to https://evilspoof/ and click on some things inside your add-in?

Are you authenticating your users in some way? And worried that if they log into your website legitimately...then when they go to the malicious site, they are already signed in, and thus clicks/actions on your page will work since they are already authenticated?

You may want to look at: https://dev.outlook.com/reference/add-ins/Office.context.mailbox.html#getUserIdentityTokenAsync

And associate the token when you log into the site. This call will go to the Exchange Server and give you back an identity token, that you can associate with the login. If the user logs in through OWA/Outlook, you can associate the token. When they go to the malicious site, they can spoof getUserIdentityToken, but the token returned will be different. And the user will be forced to re-enter their credentials. If the user re-enters credentials at that point, then you could be hosed. Or if the user only ever used the malicious spoofed site (and never the real one), then you would have problems...but if the user is entering their login into a spoofed site...doesn't the attacker have their login information anyway?




回答2:


Take a look at Roaming Settings. These settings are stored within the user's mailbox so they will follow them around regardless of the client they are using.



来源:https://stackoverflow.com/questions/43667426/trusted-way-to-get-the-host-origin-of-an-office-add-in

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!