{"id":6990,"date":"2021-08-27T13:02:58","date_gmt":"2021-08-27T21:02:58","guid":{"rendered":"https:\/\/officedevblogs.wpengine.com\/?p=6633"},"modified":"2022-05-25T17:53:32","modified_gmt":"2022-05-26T00:53:32","slug":"action-required-update-your-office-add-in-dialog-for-cross-domain-communication","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/action-required-update-your-office-add-in-dialog-for-cross-domain-communication\/","title":{"rendered":"Update your Office Add-in Dialog for cross-domain calls"},"content":{"rendered":"

We’ve recently implemented a security update to the Office Add-in Dialog API. This affects cross-domain communication between the dialog and the parent page (typically a task pane) using either the Office.ui.messageParent<\/a> or Office.dialog.messageChild<\/a> methods. Cross-domain communication means that your add-in calls one of these methods when the parent page and the dialog are in different domains.<\/p>\n

Action required to update your Office Add-in Dialog<\/h2>\n

If you’re using either method to make cross-domain calls, this is a breaking change. You must update your add-in<\/em>. You need to add a new parameter, DialogMessageOptions<\/a>, to the call of messageParent<\/code> or messageChild<\/code>. The new parameter is an object with a targetOrigin<\/code> property that specifies the URL of the domain for which the message is intended.<\/p>\n

For more information and sample code, see Cross-domain messaging to the host runtime<\/a> \u00a0and Cross-domain messaging to the dialog runtime<\/a>.<\/p>\n

Same domain communication will remain unaffected. A call to messageParent<\/code> or messageChild<\/code> does not need the new parameter when the dialog and parent are in the same domain. So, you don\u2019t need to do anything if your add-in only makes same domain calls.<\/p>\n

This change does not affect the Office add-in single sign-on API (Office.auth.getAccessToken<\/a>).<\/p>\n

As part of this change, we’ve introduced a new requirement set, DialogOrigin 1.1<\/a>, which contains the new versions of messageParent<\/code> and messageChild<\/code>.<\/p>\n

On Windows, users can set a registry key to bypass the target origin validation if needed. For instructions, see the Tip in Cross-domain messaging to the host runtime<\/a>. Then, cross-domain communication will continue to run even if you do not update them to use the new parameter. You should have users do this only as a temporary expediency until the add-in is updated.<\/p>\n

Call to Action<\/h3>\n

If your add-in makes cross-domain calls of messageParent<\/code> or messageChild<\/code>:<\/p>\n