MC283865 – Microsoft recently made some changes to harden the security of the Office Add-in dialog API, which impacts cross-domain communication. Normally they do not do Message center communications on these monthly changes, but in the case Microsoft want to make sure the potential for impact is understood.
Note: If your organization is not using Office Add-ins you can safely disregard this message.
This change only impacts Office Add-ins and does not affect COM/VSTO add-ins.
When will this happen:
These changes will take effect in the semi-annual channel on September 14th. Please ensure your add-in is updated before this date.
How does this affect your organization:
If your organization is deploying an office add-in, your add-in functionality may be impacted. Please confirm with your add-in provider whether your add-in is using either the Office.ui.messageParent or Office.dialog.messageChild methods to communicate between the dialog and the parent page (typically a task pane) on different domains. If so, your add-in will need to be updated to pass a new parameter to enable cross-domain communication.
The changes are rolling out with the following builds:
- Office on the web: Live from 7/19/2021
- Microsoft 365 on Windows subscription: 16.0.14310.10000
- Office on Mac: 16.52.21080801
- Office on iOS: 2.52.21080801
- Semi-annual channel: The September Patch Tuesday (9/14/2021) will include the update.
What can you do to prepare:
For more information, see Action required: Update your Office add-in dialog for cross-domain communication
On Windows, you can set a registry key to bypass the target origin validation if needed. (For instructions, see the Tip in Cross-domain messaging to the host runtime.) Doing so allows add-ins making cross-domain communication to continue running even if they haven’t been updated to use the new parameter. Do this only as a temporary expediency until the add-in is updated.