I've seen other questions regarding this subject, including some with answers. I believe I'm doing everything other people have recommended to solve this issue and also found in Microsoft's docs, but for some reason, I'm getting a CORS error while loading my plugin, so I need more help.
The main related question to what I'm trying to do is this: Outlook add-in publish on a Cpanel
I already tested my addin, and it works. On the test, I'm loading everything from localhost, as shown in the MS documentation, this way:
http-server -S --cors . -p 3000
office-addin-https-reverse-proxy --url http://localhost:3000
After that, to allow it to run from localhost, I need to open a new TAB (besides the outlook one) and load at least one resource directly from localhost to be able to instruct the browser to trust localhost (I don't have a default setting to trust localhost).
What happens is that when I publish the plugin to my site, Outlook doesn't allow it to run, and I get an error on the browser's JS console complaining about 'sameorigin':
Refused to display 'https://mailsig.leadcomm.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
There's an article on Microsoft's Documentation entitled
Addressing same-origin policy limitations in Office Add-ins, but it only addresses calls explicitly done using XmlHttpRequest, which is not my case.
My manifest sets all configurations for both <AppDomain> and <SourceLocation>, so I don't really understand what I'm doing wrong. The only detail is that my company's site is NOT hosted with Microsoft but in a regular CPanel hosting provider. I have a valid SSL certificate applied on the site, which also conforms to MS specifications.
Can anyone point to me what I'm doing wrong and how to address this issue?
I ended up solving this issue myself. After some research, I found out that, even though I didn't configure it this way, recent versions of cPanel use several settings to improve security, and amongst them, for Apache:
Header always set X-Frame-Options "SAMEORIGIN"
This default setting was causing my Add-In rejection by the browser since the parent frame to which the add-in would be attached wasn't coming from the "same origin" as my Add-in (the parent frame is Outlook's main frame, which comes from Microsoft's servers).
To solve the issue, I added the following settings to the .htaccess file on my website:
Header set Access-Control-Allow-Origin "*"
Header always unset X-Frame-Options
After adding the above settings to .htaccess, everything started working as planned. I hope this information helps someone else - I know how hard I tried to find this!
Related
I have a https site and need to show content from other sites that may or may not be themselves https. Predictably enough, I'm getting warning messages like this in the console...
"Mixed Content: The page at 'https://www.example.com/' (my server) was loaded over HTTPS, but requested an insecure image 'http://www.aninsecuredomain.com/image.jpg'. (not my server) This content should also be served over HTTPS."
(not to the mention the fact that I no longer see the little padlock displayed properly in most browsers who now consider my site's network insecure).
I've read through a bunch of posts on SO on this topic, but I can't seem to find a definitive answer on whether there's anything I can do when I don't own the external servers (so can't guarantee they'll have a https version). Appreciate any thoughts on whether this is possible, and if so how I could go about achieving it!
When you need to include content from another domain in an https webpages you can:
Make the owner of the other domain commit to https by explaining him the security reason behind that
Proxy the content through your website or host it yourself (if you have right to do it)
(If you don't see the padlock anymore it's because your page is no longer secure because it include insecure elements that could have been tempered: it's not they "consider my site's network insecure", it is indeed insecure!)
You should use the // prefix. (instead of http[s]://)
On an https page, the secure version wil be loaded.
On on a plain http page, the plain http version will be loaded.
Edit your theme replacing every occurence of http://fonts.googleapis.com/... with //fonts.googleapis.com/...
I have a WordPress site that is doing a few weird things, and I believe it is because it is being cached. I changed the contents of a CSS stylesheet file, and the change took around 10 minutes before it appeared live.
I can't however find any caching mechanism setup. I've looked through cPanel and can't see anything setup there. The IP of the site resolves to the IP that cPanel is showing.
I've looked for plugins in WordPress and can't see any caching plugins (although if it was a caching plugin, would accessing a stylesheet be cached?).
Any tips on how I can see if the page is being cached on the server or by a plugin?
Put a JavaScript bug on the page which crafts a random URL and requests it. Compare the number of page requests to random URL requests. But there are lots of scenarios where a browser can cache a page in the absence of caching information.
If your website is behind Cloud Flare network or such, this is normal behavior.
Try running next command (Windows Command prompt/Linux terminal):
ping www.yoursite.com
and visit resolved IP address in browser - this may tell you if you are behind caching network.
Take a look at this article: http://www.mobify.com/blog/beginners-guide-to-http-cache-headers/
I use SAHI for automated testing. Sahi has an internal proxy I use to interact with server application.
When I browse https websites, the proxy stores the sslcertificate. This certificate are self-signed and I have to import clicking on “Continue to this website (not recommended).”
It is boring but it but it works in many cases. Now I have to work with a hhtps site where this procedure doesn't work.
If i try to click on “Continue to this website (not recommended).”, nothing happen.
If I browse the site without proxy, I have no problems.
I use Win7, IE9.
Any idea?
If you are using the Open Source version of Sahi you could try the latest release of https://github.com/headissue/Sahi
since https://github.com/headissue/Sahi/releases/tag/v4.4.0-H7E it is possible to just click on the cert link on the startpage (s/dyn/Driver_initialized), then you never have to accept a certificate again.
I would appreciate if you try it out and feel free to contact me when you got any questions.
I didn't understand the reason of the problem, however I solved it just using Firefox.
With FireFox I can import the certificate just as usual, so I exported the certificate with FF than I importet it in IE and that's all.
Does any body know the reason of this issue?
Cause:
The website which you are trying to access may request resources from other domain other than the base domain(For base domain you have added the certificate while launching the URL)
Solution:
Open the developer tool goto network tab and search for any other domain and open the domain in a new tab, click "Proceed to website" (Chrome) or "I understand the risk" (firefox). Similarly do above steps for all the domains
Reload the page and check whether its displaying all the contents
I am running a site. Some of its pages are not working in Firefox, but work perfect in Chrome. In Firefox it shows me a gray shield next to the URL and when I click on that shield and manually click on disable protection on this page then my page works fine. So now the problem is that there are many users on my site, and some of them don't know how to do it so I want to handle it on my site so its users don't need to do that.
How can I do it? I Googled and found a setting of Firefox in about:config named security.mixed_content.block_active_content. If we set it to false then it works. So is there a way to do it programmatically or other way so that users just view that page without seeing that shield?
As I understand it, content that is blocked by default by Firefox now is http content that is accessed from an https page. Common types of content that fall foul of this are external stylesheets and images.
As far as I am aware the way to prevent the problem on your site is to make sure that if a page is served by https, any and all other files that it references are also served by https.
Hi Friends,
The reason you see this error in Mozilla Firefox is because your
website is a Mixed Box that is, your website has many internal links
which are not SSL protected.
In order to avoid this error from showing up in Mozilla Firefox you
will have to make sure all the internal links on your website are SSL
protected.
So, Use https:// in your page not http://
I hope I was clear enough in answering your query.
firefox has blocked content that isn't secure means there are some contents on your website are not secure.
I had same issue as my fonts were downloading with http://google.apis.something instead of https
Then I change to //google.apis.something and problem get solved.
To know what is not secure in you website use this link
I have a virtual shop hosted under HTTPS domain, for example, https://www.myshop.com
I need to insert an external link of another domain name not hosted in my server to my site. This link can be http or https, no matter.
The only way to insert it is through a script like this:
I'm working with Classic ASP and I have a Windows 2008 server.
I redirected external domain to internal one in web.config
externalSite (secure) -> myshop.com/extSite (secure)
So I changed my code to:
Redirection works perfect.
My problem is that I want that warning in IE of "mixed content" desappears. I'm searching in lots of forums but I can't found any answer that works.
Could someone help me to solve this problem? Is ther any way to avoid this annoying warning?
Thank you.
No you can't avoid it. The message is there for a reason. The page they are viewing is not secure, despite the fact that they visited a secure URL.