Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Outlook-Add-in-SSO-NAA double popups Firefox/Safari #889

Open
malnoxon opened this issue Nov 13, 2024 · 2 comments
Open

Outlook-Add-in-SSO-NAA double popups Firefox/Safari #889

malnoxon opened this issue Nov 13, 2024 · 2 comments
Assignees
@codexeon @davidchesnut
Labels
area: authentication bug: product Status: under investigation

Comments

@malnoxon
Copy link

URL of sample
https://github.com/OfficeDev/Office-Add-in-samples/tree/main/Samples/auth/Outlook-Add-in-SSO-NAA

Describe the bug
I routinely get double popups the first time I try to click the "Get user data" button in Firefox or Safari on a fresh login or private window due to a failure to silently get a token in those cases. They open and then automatically close with no user intervention. I do not get these popups in chrome under the same conditions where silent token retrieval is successful.

This is both a UX annoyance and can cause functional issues if the browser is configured to block popups. The particular scenario I'm concerned about is if an admin grants consent on behalf of the org in which case the end users should see 0 popups prompting them for consent and ideally never need to allow popups.

This may be a combination of 2 issues:

  1. Why is the popup needed at all?
  2. Why are there 2 of them? (more annoying UX and more likely to have the browser decide to block one)

To Reproduce
Sideload in the add-in

  1. Make a new email in outlook in Firefox
  2. Message > the apps square > click the add-in
  3. Consent to all permissions for the add-in (click the "get user data" button in the add-in and let it prompt you to accept them).
  4. Verify you can see the results from the button click in the add-in pane
  5. Now open a new private Firefox window
  6. Make a new email in outlook in that private window
  7. Open the add-in again, click the "get user data" button.
  8. Notice that it throws 2 popups that automatically open/close.

Expected behavior
After permissions have been granted I'd expect no popups to be necessesary like in chrome.

Screenshots

Firefox console logs

The resource at “https://res.public.onecdn.static.microsoft/owamail/hashed-v1/scripts/owa.2069.m.c813c80c.js” preloaded with link preload was not used within a few seconds. Make sure all attributes of the preload tag are set correctly. mail
The resource at “https://res.public.onecdn.static.microsoft/owamail/hashed-v1/scripts/owa.MsalAuth.m.600aad13.js” preloaded with link preload was not used within a few seconds. Make sure all attributes of the preload tag are set correctly. mail
downloadable font: kern: Too large subtable (font-family: "Aptos" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos/Aptos.woff2
downloadable font: Table discarded (font-family: "Aptos" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos/Aptos.woff2
downloadable font: kern: Too large subtable (font-family: "Aptos" style:normal weight:700 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos/Aptos-Bold.woff2
downloadable font: Table discarded (font-family: "Aptos" style:normal weight:700 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos/Aptos-Bold.woff2
Partitioned cookie or storage access was provided to “https://localhost:3000/taskpane.html?et=” because it is loaded in the third-party context and dynamic state partitioning is enabled.
[webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled. index.js:577
[HMR] Waiting for update signal from WDS... log.js:39
[webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled. index.js:577
[HMR] Waiting for update signal from WDS... log.js:39
XML Parsing Error: no root element found
Location: https://localhost:3000/taskpane.html?et=
Line Number 1, Column 1: taskpane.html:1:1
Cookie warnings 10
[Wed, 13 Nov 2024 17:17:53 GMT] : [] : @azure/msal-browser@3.26.1 : Info - Nested App Auth Bridge available: true msalconfig.ts:30:20
[Wed, 13 Nov 2024 17:17:53 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - BrowserCrypto: modern crypto interface available msalconfig.ts:33:20
XHRGET
https://graph.microsoft.com/v1.0/chats?$top=50&$expand=lastMessagePreview&$select=viewpoint,lastMessagePreview
[HTTP/2 429  10ms]

downloadable font: kern: Too large subtable (font-family: "Aptos Display" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos-display/Aptos-Display.woff2
downloadable font: Table discarded (font-family: "Aptos Display" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos-display/Aptos-Display.woff2
downloadable font: kern: Too large subtable (font-family: "Aptos Narrow" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos-narrow/Aptos-Narrow.woff2
downloadable font: Table discarded (font-family: "Aptos Narrow" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos-narrow/Aptos-Narrow.woff2
Trying to acquire token silently... authConfig.ts:87:14
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing. mail
Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content. oauthRedirect.html
The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it. oauthRedirect.html
Unable to acquire token silently: InteractionRequiredAuthError: login_required: AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com). Trace ID: e791e837-6094-4a73-8656-98863b667700 Correlation ID: 01932688-27f1-73df-a48e-e4e634890d2a Timestamp: 2024-11-13 17:17:57Z authConfig.ts:92:14
Trying to acquire token interactively... authConfig.ts:97:14
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing. mail
Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content. oauthRedirect.html
The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it. oauthRedirect.html
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - hydrateCache called msalconfig.ts:33:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found msalconfig.ts:33:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - BrowserCacheManager.addAccountKeyToMap account key added msalconfig.ts:33:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - BrowserCacheManager.getTokenKeys - No token keys found msalconfig.ts:33:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/msal-browser@3.26.1 : Info - BrowserCacheManager: addTokenKey - idToken added to map msalconfig.ts:30:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/msal-browser@3.26.1 : Info - BrowserCacheManager: addTokenKey - accessToken added to map msalconfig.ts:30:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - setActiveAccount: Active account set msalconfig.ts:33:20
Acquired token interactively. authConfig.ts:100:14
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - setActiveAccount: Active account set msalconfig.ts:33:20
Object { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity", businessPhones: [], displayName: "Devs", givenName: "Devs", jobTitle: null, mail: "devs@InfosecOnline.com", mobilePhone: null, officeLocation: null, preferredLanguage: "en-US", surname: null, … }
msgraph-helper.ts:27:12
A resource is blocked by OpaqueResponseBlocking, please check browser console for details. 2 OutlookWeb-Mail-PROD
The connection to wss://augloop.office.com/ was interrupted while the page was loading. owa.13232.m.1012d67c.js:1:7035
[webpack-dev-server] App updated. Recompiling... index.js:577
[webpack-dev-server] App updated. Recompiling... index.js:577
[webpack-dev-server] App hot update... index.js:577
[HMR] Checking for updates on the server... log.js:39
[webpack-dev-server] App hot update... index.js:577
[HMR] Checking for updates on the server... log.js:39
[HMR] Update failed: Loading hot update chunk polyfill failed.
(missing: https://localhost:3000/polyfill.e0c31b8a82ca081b835d.hot-update.js)
loadUpdateChunk/<@https://localhost:3000/polyfill.js:26926:26
loadUpdateChunk@https://localhost:3000/polyfill.js:26921:20
__webpack_require__.hmrC.jsonp/<@https://localhost:3000/polyfill.js:27378:29
__webpack_require__.hmrC.jsonp@https://localhost:3000/polyfill.js:27373:22
hotCheck/</</<@https://localhost:3000/polyfill.js:26751:47
hotCheck/</<@https://localhost:3000/polyfill.js:26747:55
promise callback*hotCheck/<@https://localhost:3000/polyfill.js:26742:43
promise callback*hotCheck@https://localhost:3000/polyfill.js:26733:15
check@https://localhost:3000/polyfill.js:4020:5
./node_modules/webpack/hot/dev-server.js/<@https://localhost:3000/polyfill.js:4074:4
emit@https://localhost:3000/polyfill.js:350:17
reloadApp@https://localhost:3000/polyfill.js:3915:67
ok@https://localhost:3000/polyfill.js:1841:68
./node_modules/webpack-dev-server/client/socket.js/initSocket/<@https://localhost:3000/polyfill.js:3591:29
./node_modules/webpack-dev-server/client/clients/WebSocketClient.js/onMessage/this.client.onmessage@https://localhost:3000/polyfill.js:1574:10
EventHandlerNonNull*onMessage@https://localhost:3000/polyfill.js:1573:7
initSocket@https://localhost:3000/polyfill.js:3584:10
./node_modules/webpack-dev-server/client/index.js?protocol=wss%3A&hostname=0.0.0.0&port=3000&pathname=%2Fws&logging=info&overlay=true&reconnect=10&hot=true&live-reload=true@https://localhost:3000/polyfill.js:1926:55
__webpack_require__@https://localhost:3000/polyfill.js:26353:32
@https://localhost:3000/polyfill.js:27417:30
@https://localhost:3000/polyfill.js:27422:12
log.js:41
[HMR] Nothing hot updated. log.js:39
[HMR] App is up to date. log.js:39

Chrome logs when performing the same action

11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.963 bootstrap:22 [webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled.
11:15:04.964 bootstrap:22 [HMR] Waiting for update signal from WDS...
11:15:05.028 bootstrap:22 [webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled.
11:15:05.029 bootstrap:22 [HMR] Waiting for update signal from WDS...
11:15:06.067 msalconfig.ts:30 [Wed, 13 Nov 2024 17:15:06 GMT] : [] : @azure/msal-browser@3.26.1 : Info - Nested App Auth Bridge available: true
11:15:06.067 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:06 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - BrowserCrypto: modern crypto interface available
11:15:08.164 owa.30114.m.7d654955.js:1 
        
        
       GET https://graph.microsoft.com/v1.0/chats?$top=50&$expand=lastMessagePreview&$select=viewpoint,lastMessagePreview 429 (Too Many Requests)
o @ owa.30114.m.7d654955.js:1
c @ owa.30114.m.7d654955.js:1
E @ owa.30114.m.7d654955.js:1
await in E
(anonymous) @ owa.mailindex.8754bfb2.js:1
Promise.then
importAndExecute @ owa.mailindex.8754bfb2.js:1
task @ owa.AppBoot.m.01b05440.js:1
t @ owa.Tti.m.1ee76fcc.js:1
(anonymous) @ owa.Tti.m.1ee76fcc.js:1
postTask
r @ owa.mailindex.8754bfb2.js:1
(anonymous) @ owa.Tti.m.1ee76fcc.js:1
(anonymous) @ owa.Tti.m.1ee76fcc.js:1
runTask @ owa.AppBoot.m.01b05440.js:17
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
11:15:09.223 authConfig.ts:87 Trying to acquire token silently...
11:15:09.242 owa.2069.m.c813c80c.js:7 An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
tF @ owa.2069.m.c813c80c.js:7
tK @ owa.2069.m.c813c80c.js:7
(anonymous) @ owa.2069.m.c813c80c.js:1
tD @ owa.2069.m.c813c80c.js:7
(anonymous) @ owa.2069.m.c813c80c.js:1
silentTokenHelper @ owa.2069.m.c813c80c.js:7
await in silentTokenHelper
(anonymous) @ owa.2069.m.c813c80c.js:1
acquireToken @ owa.2069.m.c813c80c.js:7
await in acquireToken
ssoSilent @ owa.2069.m.c813c80c.js:7
ssoSilent @ owa.2069.m.c813c80c.js:7
eg @ owa.MsalAuth.m.600aad13.js:1
eV @ owa.MsalAuth.m.600aad13.js:1
ej @ owa.MsalAuth.m.600aad13.js:1
await in ej
getNestedAppAuthToken @ owa.MsalAuth.m.600aad13.js:1
getTokenRequest @ owa.MsalAuth.m.600aad13.js:1
(anonymous) @ owa.MsalAuth.m.600aad13.js:1
l @ owa.MsalAuth.m.600aad13.js:1
f @ owa.MsalAuth.m.600aad13.js:1
eY @ owa.MsalAuth.m.600aad13.js:1
(anonymous) @ owa.mailindex.8754bfb2.js:1
then @ owa.mailindex.8754bfb2.js:1
importAndExecute @ owa.mailindex.8754bfb2.js:1
(anonymous) @ owa.mailindex.8754bfb2.js:1
then @ owa.mailindex.8754bfb2.js:1
importAndExecute @ owa.mailindex.8754bfb2.js:1
executeNaaRequest @ owa.AppBoot.m.01b05440.js:1
tT @ owa.82103.m.0f56f587.js:1
n8 @ owa.82103.m.0f56f587.js:1
(anonymous) @ owa.82103.m.0f56f587.js:1
e.invoke @ owa.24892.m.c797c99d.js:1
u @ owa.24892.m.c797c99d.js:1
v @ owa.24892.m.c797c99d.js:1
11:15:09.678 mail/oauthRedirect.html#code=1.ASgATSnmPjO2u0asaqgHWwlcEyC_mZE_oQdBhdwCEUeH70jZAG8oAA.AgABBAIAAADW6jl31mB3T7ugrWTT8pFeAwDs_wUA9P-8z9yphqfHBXVscm0xI7DbcRFFwIYOI7drYOMTuozXiX0ObAMM_xfioc3c38-miZ0r5aLcnflx24Uv0hLc0yW94NUih6tZw7xWv2lKSIh3uTFII3HiXB0a9PUuSV83oAf_rmjh__fFwgHj7DCw746hBJfDZEF2jj5nGBqvOMYuZr70fbbzmlS5coRSaq6VYSa0bL90R87XGReOUNMfucVuka3q0XTfQaKwGpC4przhqJ9q4z6RQ9bOc4u7TGhguXqax7jyj38jVEiFnA8UsxWtGkwrlbeuDRiOt4rLEdSKbLGxiXmgAXZCM6sGV3ADvXQIyzpPF7XdBXrz0gJd66VC3UV3Z70VkvfJCGYxCe20w3Hg7pDLcMtZBs7jOLyKuwgJMVdQ8SSydkQ7ruSP-xjoa1-i4qwz9WXlYXyWftqh7l2EJYMMY9Z9gwoYEKmrP4jZ7GK127wjGQt4egt5VtllXEX8qmwqe8cSKWVkis2vHL4H5JupaOseSSLCMz_PWiiRAGHTjrFqVb5xtYj-jqFb39bHfz_EwiIRJPowYDEK-uPKOel_cro8fWMNj1lH51BwTOr8ehXy-HtFf5UyxofXjihLmt5PZE6HwJoQk0r20a4V5TfNbqMzYT-CA1bC-BEErNz4ma3a6PUuTqEC_5uOH6kZe2kGhihQysJQPC9HyyNplAvNn0EBDx28wDhCitoVvuvtIvPAvDD_-oJ6kIG8FwUKzZyiOn6CqJ24FIRqVfjf1_Ed2CLyiwOOCix4Nnai9JeZJ6IESAHQ10BMxbKAGk1W3JEIlJJ8fMIhvPeuIbc-2a2TlCzqWALkFS9QCjHAa78OaII&client_info=eyJ1aWQiOiJhMGU5MmI0Ny03OTM1LTQyNTEtOTQwMy05N2U5MmRkZWUxZDMiLCJ1dGlkIjoiM2VlNjI5NGQtYjYzMy00NmJiLWFjNmEtYTgwNzViMDk1YzEzIn0&state=eyJpZCI6IjAxOTMyNjg1LTk2MmMtNzg3Mi04NjBhLTg1ZWI2NTI5NDdhZCIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19&session_state=f00afcdb-7bf3-401c-864d-e892ff10e2b9:1 An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
11:15:10.286 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - hydrateCache called
11:15:10.287 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found
11:15:10.287 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - BrowserCacheManager.addAccountKeyToMap account key added
11:15:10.288 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - BrowserCacheManager.getTokenKeys - No token keys found
11:15:10.288 msalconfig.ts:30 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/msal-browser@3.26.1 : Info - BrowserCacheManager: addTokenKey - idToken added to map
11:15:10.288 msalconfig.ts:30 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/msal-browser@3.26.1 : Info - BrowserCacheManager: addTokenKey - accessToken added to map
11:15:10.289 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/msal-browser@3.26.1 : Verbose - setActiveAccount: Active account set
11:15:10.289 authConfig.ts:89 Acquired token silently.
11:15:10.403 msgraph-helper.ts:27 {@odata.context: 'https://graph.microsoft.com/v1.0/$metadata#users/$entity', businessPhones: Array(0), displayName: 'Devs', givenName: 'Devs', jobTitle: null, …}
11:22:16.000 index.js:577 [webpack-dev-server] App updated. Recompiling...
11:22:16.001 index.js:577 [webpack-dev-server] App updated. Recompiling...
11:22:16.658 index.js:577 [webpack-dev-server] App hot update...
11:22:16.658 log.js:39 [HMR] Checking for updates on the server...
11:22:16.659 index.js:577 [webpack-dev-server] App hot update...
11:22:16.659 log.js:39 [HMR] Checking for updates on the server...
11:22:16.710 log.js:41 [HMR] Update failed: Loading hot update chunk polyfill failed.
(missing: https://localhost:3000/polyfill.e0c31b8a82ca081b835d.hot-update.js)
ChunkLoadError
    at https://localhost:3000/polyfill.js:26926:26
    at new Promise (<anonymous>)
    at loadUpdateChunk (https://localhost:3000/polyfill.js:26921:20)
    at https://localhost:3000/polyfill.js:27378:29
    at Array.forEach (<anonymous>)
    at __webpack_require__.hmrC.jsonp (https://localhost:3000/polyfill.js:27373:22)
    at https://localhost:3000/polyfill.js:26751:47
    at Array.reduce (<anonymous>)
    at https://localhost:3000/polyfill.js:26747:55
__webpack_modules__../node_modules/webpack/hot/log.js.module.exports @ log.js:41
(anonymous) @ dev-server.js:60
Promise.catch
check @ dev-server.js:45
(anonymous) @ dev-server.js:69
emit @ events.js:153
reloadApp @ reloadApp.js:38
ok @ index.js:239
(anonymous) @ socket.js:62
client.onmessage @ WebSocketClient.js:45
Show 9 more frames
Show less
11:22:16.711 log.js:39 [HMR] Nothing hot updated.
11:22:16.711 log.js:39 [HMR] App is up to date.

Environment

  • Platform [PC desktop, Mac, iOS, Office Online]: OSX 14.7.1
  • Host [Excel, Word, PowerPoint, etc.]: Outlook for Web
  • Browser (if using Office Online): Firefox 132.0.2/Safari 18.1

Additional context
n/a
@AlexJerabek
Copy link
Collaborator

Thanks for flagging this @malnoxon.

@codexeon or @davidchesnut, could you please take a look?

@davidchesnut
Copy link
Member

I am able to reproduce this behavior so I'm looking into this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codexeon codexeon

@davidchesnut davidchesnut

Labels
area: authentication bug: product Status: under investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@malnoxon @codexeon @davidchesnut @AlexJerabek