We recently made some changes to harden the security of the Office Add-in dialog API, which impacts cross-domain communication. Normally we do not do Message center communications on these monthly changes, but in the case we want to make sure the potential for impact is understood. This change only impacts Office Add-ins and does not affect COM/VSTO add-ins.
Table of Contents
Affected Workloads
- Microsoft 365 Apps
Note: If your organization is not using Office Add-ins you can safely disregard this message.
When will this happen
These changes will take effect in the semi-annual channel on September 14th. Please ensure your add-in is updated before this date.
How does this affect your organization
If your organization is deploying an office add-in, your add-in functionality may be impacted. Please confirm with your add-in provider whether your add-in is using either the Office.ui.messageParent or Office.dialog.messageChild methods to communicate between the dialog and the parent page (typically a task pane) on different domains. If so, your add-in will need to be updated to pass a new parameter to enable cross-domain communication.
The changes are rolling out with the following builds:
- Office on the web: Live from 7/19/2021
- Microsoft 365 on Windows subscription: 16.0.14310.10000
- Office on Mac: 16.52.21080801
- Office on iOS: 2.52.21080801
- Semi-annual channel: The September Patch Tuesday (9/14/2021) will include the update.
What can you do to prepare
On Windows, you can set a registry key to bypass the target origin validation if needed. (For instructions, see the Tip in Cross-domain messaging to the host runtime.) Doing so allows add-ins making cross-domain communication to continue running even if they haven’t been updated to use the new parameter. Do this only as a temporary expediency until the add-in is updated.
Message ID: MC283865
Published: 08 September 2021
Updated: 08 September 2021
Effective: September 14, 2021
Action required by date: 14 September 2021