I'm currently implementing an Outlook Add-in. It shows the user a pop-up window whenever the user is about to complete a potentially dangerous action, to protect against clickjacking attacks.
I was hoping not to have to show the user the pop-up window every time they use the add-in -- only the first time they use it from a new host origin. Is there a way to get the verified host origin of an Office add-in, so I can remember that the user trusts it for next time?
Right now I'm listening for the postMessages from the host (e.g. https://outlook.office.com) to the Office.js SDK and looking at the origin on the MessageEvents, but seems very fragile.
I'm interested in knowing more about the vector of attack that you are describing here. Is it someone creating https://evilspoof/ and hosting your web app inside an iframe there. Then getting an end user to go to https://evilspoof/ and click on some things inside your add-in?
Are you authenticating your users in some way? And worried that if they log into your website legitimately...then when they go to the malicious site, they are already signed in, and thus clicks/actions on your page will work since they are already authenticated?
You may want to look at: https://dev.outlook.com/reference/add-ins/Office.context.mailbox.html#getUserIdentityTokenAsync
And associate the token when you log into the site. This call will go to the Exchange Server and give you back an identity token, that you can associate with the login. If the user logs in through OWA/Outlook, you can associate the token. When they go to the malicious site, they can spoof getUserIdentityToken, but the token returned will be different. And the user will be forced to re-enter their credentials. If the user re-enters credentials at that point, then you could be hosed. Or if the user only ever used the malicious spoofed site (and never the real one), then you would have problems...but if the user is entering their login into a spoofed site...doesn't the attacker have their login information anyway?
Take a look at Roaming Settings. These settings are stored within the user's mailbox so they will follow them around regardless of the client they are using.
来源:https://stackoverflow.com/questions/43667426/trusted-way-to-get-the-host-origin-of-an-office-add-in