I create a small app in the “ticket_top_navigation”, which generates a small button. If you click th button, the browser should open a new tab with a dynamic outlook-calender link “Sign in to Outlook”, based on some ticket-details.
The link is opened via
window.open(outlooklink, ‘_blank’, ‘noreferrer’);
The app works like a charm for one year, but suddenly stops working a few weeks ago. The new tab now shows an error “ERR_BLOCKED_BY_RESPONSE” cause of cross-origin-opener-policy enabled.
thanks for your answer! It´s nice to be a member of this community
The post you linked is exactly the same problem I have in my app. You can trust me, my app worked for a while without no problems
I also tried to use a simple href-Link but the error is the same with window.open.
Which possibilities do I have, to generate a simple link to a third party site without these sandbox restrictions? This could be a global whitelist with trusted third party sites like *.office.com *.facebook.com and so on.
I totally understand your security concerns, but this situation is a big limit to connect a great ticket-system to other collaboration tools out there!
As mentioned earlier it’s a general security standard followed. There are only three possibilities I could think of
Removing sandbox attribute from the iframe. This will allow the iframe to perform any actions, but it may compromise the security of the parent website - not recommended (✘)
Add the allow-popups attribute to the iframe’s sandbox attribute list. This will allow the iframe to open new windows and popups. But it would allow all the popups - not recommended (✘)
window.postMessage API to communicate between the parent window and the iframe.
But, quoting the below phrase from the thread above - so that our team can check the possibilities & track it in our list of asks (if valid)
If you could identify which restriction is particularly blocking these applications, we can consider for removal of the particular restriction if it would be possible and secure to lift them.
ok I will check, if the option 3 is applicable in my situation. After the new tab is opened, there is no need for a communication between the parent and the popup window, so strictly I don´t need the window.open function.
If you could identify which restriction is particularly blocking these applications, we can consider for removal of the particular restriction if it would be possible and secure to lift them.
The button in the app links to [https:// outlook . office . com / owa / …], which has a cross-origin-opener-policy enabled, so the iframe in the app-sandbox is prohibits to open the link in a new tab.
Hi @mariappan ,
I was not able to make this app work again. The option 3 (window.postMessage) ist not applicable, cause the app running in the sandbox and the new tab are on different domains.
Is there another way to call a simple external url, which is generated with this app? Maybe there is a way to change the sandbox behavior for certain external domains?
Thanks!
Hi @mariappan ,
could you please give me some hint in this topic, cause I´m stuck at the moment…
Is it possible to modify the sandbox behavior, to allow window.open to external URL like office.com?
You mentioned option 3 (window.postMessage API to communicate between the parent window and the iframe), could you give me an example how I could implement this?
Tank you very much!
