M365 Changelog: Office add-in dialog API hardening update

MC283865 – Microsoft recently made some changes to harden the security of the Office Add-in dialog API, which impacts cross-domain communication. Normally they do not do Message center communications on these monthly changes, but in the case Microsoft want to make sure the potential for impact is understood.

Note: If your organization is not using Office Add-ins you can safely disregard this message.

This change only impacts Office Add-ins and does not affect COM/VSTO add-ins.

When will this happen:

These changes will take effect in the semi-annual channel on September 14th. Please ensure your add-in is updated before this date.

How does this affect your organization:

If your organization is deploying an office add-in, your add-in functionality may be impacted. Please confirm with your add-in provider whether your add-in is using either the Office.ui.messageParent or Office.dialog.messageChild methods to communicate between the dialog and the parent page (typically a task pane) on different domains. If so, your add-in will need to be updated to pass a new parameter to enable cross-domain communication.

The changes are rolling out with the following builds:

  • Office on the web: Live from 7/19/2021
  • Microsoft 365 on Windows subscription: 16.0.14310.10000
  • Office on Mac: 16.52.21080801
  • Office on iOS: 2.52.21080801
  • Semi-annual channel: The September Patch Tuesday (9/14/2021) will include the update.

What can you do to prepare:

For more information, see Action required: Update your Office add-in dialog for cross-domain communication

On Windows, you can set a registry key to bypass the target origin validation if needed. (For instructions, see the Tip in Cross-domain messaging to the host runtime.) Doing so allows add-ins making cross-domain communication to continue running even if they haven’t been updated to use the new parameter. Do this only as a temporary expediency until the add-in is updated.