Configuring the contentSecurityPolicy.json File for the Add-In - Microsoft 365 Hyland Outlook Office Add-In - 1.0 - 1.0 - Other - external

Microsoft 365 Hyland Outlook Office Add-In

Platform
Other
Product
Microsoft 365 Hyland Outlook Office Add-In
Release
1.0
License

The contentSecurityPolicy.json file is used to enhance the security of the Microsoft 365 Hyland Outlook Office Add-In by blocking requests from unsafe URLs or not loading content from specified sources. Content Security Policy violations can be reported or enforced based on how the contentSecurityPolicy.json is configured. For more information on content security policies and how they are used, see the MDN Web Docs guide "Content Security Policy (CSP)".

Using the content security policy through the contentSecurityPolicy.json file is not required to use the Microsoft 365 Hyland Outlook Office Add-In. If you are using a different content security policy (such as from the hosting application level), you may configure the contentSecurityPolicy.json file to disable it.

To configure the contentSecurityPolicy.json file:

  1. Open the config folder located in the installation directory for the Microsoft 365 Hyland Outlook Office Add-In. For example: C:\Program Files\Hyland\M365HOA
  2. Open the contentSecurityPolicy.json file in a text editor such as Notepad.
  3. Determine whether you would like to enable the content security policy, disable the content security policy, or only report content security policy violations.
    • To only report violations, set ReportOnly to true and skip to step 6.
    • To disable the content security policy, set ReportOnly to true, leave ReportTo: Policies blank, and skip to step 9.
    • To enforce the content security policy, make sure that ReportOnly is set to false.
  4. In each node, such as Default, under Policies, define the sources allowed to load content in a list.

    Each list needs to have the source values in quotation marks (") with each list item separated by a comma. For example: "'self'","https:"

    CAUTION: The source value 'unsafe-inline' should not be used in the Microsoft 365 Hyland Outlook Office Add-In as it would circumvent the protections provided by the content security policy.
    1. In the Script node, under Policies, enter the following list of script policies:
      "Script":{
      	"Policies": [
      		"'self'",
      		"'strict-dynamic'",
      		"https:",
      		"https://appsforoffice.microsoft.com:*",
      		"https://ajax.aspnetcdn.com:*",
      		"https://browser.pipe.aria.microsoft.com:*",
      		"https://js.monitor.azure.com:*"
      	]
      },
    2. In the Connect node, under Policies, enter the following list of connection policies, with [idpLocation] being the IdP host location and [hoisLocation] being the HOIS host location:
      "Connect":{
      	"Policies": [
      		"'self'",
      		"https://[idpLocation]:*",
      		"https://[hoisLocation]:*"
      	]
      },
    3. For the remaining policy nodes, such as Style, under Policies, define the sources allowed to load based on your security policy.

      The following table lists the remaining policy types, what content security policy directive they correspond to, and what they are used for.

      Policy Directive Description
      Default 'default-src' Defines the sources allowed by default.
      Style 'style-src' Defines allowed sources of stylesheets or CSS.
      BaseUri 'base-uri' Defines a set of allowed URLs that can be used in the "src" attribute of an HTML base tag.
      ReportTo 'report-to' Defines a reporting group for generated reports.
  5. If additional content security policies need to be defined, add the policies to the contentSecurityPolicy.json file.

    The following is an example of what an added policy looks like in the file, where [TypeName] is the name of the security policy type and [value] represents an example source value:

    "[TypeName]":{
    	"Policies": [
    		"[value1]",
    		"[value2]"
    	]
    },

    The following table lists supported content security policy type names and how they correspond to existing content security policy directives:

    Policy Directive
    Child 'child-src'
    Font 'font-src'
    Frame 'frame-src'
    Image 'image-src'
    Manifest 'manifest-src'
    Media 'media-src'
    Object 'object-src'
    ScriptElement 'script-src-elem'
    ScriptAttribute 'script-src-attr'
    StyleElement 'style-src-elem'
    StyleAttribute 'style-src-attr'
    Worker 'worker-src'
    SandBox 'sandbox'
    ReportUri 'report-uri'
  6. Configure your Hyland IdP server to allow connections to the content distribution network (cdn) for "https://appsforoffice.microsoft.com/".
    For more information on how to configure your Hyland IdP server, see the Identity and Access Management Services documentation.
  7. In the ReportTo node, under Policies, enter a name to be used for the logCSP endpoint.
  8. Under ReportingEndpoints, set the name for the logCSP endpoint to an endpoint that can handle content security policy report requests followed by /logCSP.
    The following example shows a configured ReportTo node and ReportingEndpoints node where [endpointName] is the name used for the logCSP endpoint, [IISLocation] is the location of the endpoint, and [virtualdirectorypath] is the path to the virtual directory where the add-in is installed:
    "ReportTo": {
    	"Policies": [
    		"[endpointName]"
    	]
    },
    "ReportingEndpoints": ["[endpointName]=\"https://[IISLocation]/[virtualdirectorypath]/logCSP\""],
  9. Save and close the contentSecurityPolicy.json file.
  10. Reset the IIS.
  11. Use the Diagnostics Console to verify that the configuration is working as intended.
    For more information on how to use the Diagnostics Console, see the Diagnostics Service and Diagnostics Console documentation.