Cross-Site Scripting, SharePoint Apps, App Parts and Office 365

Almost all modern browsers have implemented techniques to detect and prevent cross site scripting attacks (XSS filtering). You will notice in IE 8 and above this XSS filtering is enabled by default for the internet zone.

Since the release of SharePoint 2013 adding OData support, expanding the RESTful services and empowering the CSOM (Client side object model). Also with the addition of the Content by search web part. There are times where you will need to execute cross site queries or queries across multiple domains. For that Microsoft has introduced the “Cross-domain library (SP.RequestExecutor.js)”.

Quote form MSDN:

“The cross-domain library is a client-side alternative in the form of a JavaScript file (SP.RequestExecutor.js) that is hosted in the SharePoint website that you can reference in your remote app. The cross-domain library lets you interact with more than one domain in your remote app page through a proxy. It is a good option if you like your app code to run in the client instead of on the server, or if there are connectivity barriers, such as firewalls, between SharePoint and your remote infrastructure. You can access data in the host web—for example, you can access lists that end users interact with regardless of your app. Or you can access data in the app web, which only exists when your app is deployed. Tenant-scoped apps can also access other site collections and websites as long as the app has permissions. This article guides you through the process of building an app that reads the host web title and displays it in a remote webpage.“

So make sure you read about that library if you are planning to do any cross domain queries in your customer code.

Now what if you have created a SharePoint app (Autohosted or Provider-hosted app). And for that app you would like to enable the ability to display your app in an App Part. Check the references below to see how you can do that. And what if your App Part exposes some properties that will allow users to configure in order to change the behavior of your app. Since in Autohosted and provider-hosted scenarios you will have a different domain for apps different from your SharePoint sites domain (Sometimes it’s just subdomain but I’m not referring to that scenario here). When you try to display your app in an App Part in IE 8 and above you might notice that it gets blocked by the XSS filter. And you get an error message like this:

“Internet Explorer has modified this page to help prevent cross-site scripting”

This can become really annoying since it will prevent your app from displaying inside an App Part. I noticed that this issue can be resolved in IE if you add the app domain in the local trusted zone of IE.

So in Office 365 case with the Autohosted apps adding the following domain to the local trusted zone would solve the issue:

https://*.spowaws-tst.windows-int.net

I haven’t looked into it deeply yet, but this is what I found and thought to share it until I dig into it more.

References

Cross-Site Scripting

How to: Access SharePoint 2013 data from remote apps using the cross-domain library

Cross-site publishing alternatives in SharePoint Online/Office 365 Good article by Richard diZerega

How to: Create app parts to deploy with apps for SharePoint