5

I am currently working on an outlook addin for a service that we provide and am having issues getting it through store submission. My problem is that although the addin works well in Outlook, if you try to load it from Safari on Office 365, the reading of cookies will be blocked.

We are using the Office.js SDK to manage exchange integration and to provide a dialog whereby the user logs in. This creates a cookie containing a token which we then read in JS to send with any API requests. With the blocking of third party cookies enabled (or when using Safari) it would appear that the iframe cannot access cookies from the same origin. With third party cookies enabled (or when not using Safari) everything works as expected.

The problem for us is that Microsoft will not approve the addin unless it works on the latest version of Safari.

Thanks in advance.

Sergio
  • 9,761
  • 16
  • 60
  • 88
  • Can you clarify which code is creating the cookie? Is it an Office.js API, your code, or an authentication library? Thanks. – Outlook Add-ins Team - MSFT Jan 22 '20 at 23:10
  • 1
    Hi, we create the cookies in the dialog that is created via the office.js library: Office.context.ui.displayDialogAsync() I can verify that the cookies are there, belonging to the origin of the iframe, but when I try to read them whilst the addin is hosted in an iframe, I get nothing back. The actual creation of the cookie takes place using a simple js cookie library. Cookies.set("loginToken", token.access_token, { expires: 7 }); – Sergio Jan 23 '20 at 09:21
  • Hi, Thanks for the response. Can you please clarify the following -. Is there any error message in debug console for the same? If yes, can you please share them? – Outlook Add-ins Team - MSFT Jan 24 '20 at 06:05
  • There doesn't appear to be any errors. The cookie is simply empty – Sergio Jan 24 '20 at 09:47
  • Would you expect the browser to be able to access cookies in an iframe – Sergio Jan 24 '20 at 09:47

1 Answers1

0

We suspect that this might have something to do with a regression in Webkit itself, which is causing third party cookies to be blocked even if the user has interacted with the main page.

This change caused the regression: https://trac.webkit.org/changeset/251353/webkit

This change fixed it: https://trac.webkit.org/changeset/252623/webkit

If this is the case, then we have to wait till the fix is shipped. However, third party cookies can only be accessed only after the user has accessed the main page in a window (If you're setting the cookies in the display dialog, that should ideally work). (Read more here) As a workaround to this problem, you can use localStorage to store temporary information in the browser, which should be free from this regression, or you can use server side cookies.

Outlook Add-ins Team - MSFT
  • 8,906
  • 1
  • 9
  • 21