Share via

'mailto:' scheme doesn't work in web application embedded in MS365 web app

Anonymous
2024-02-26T06:24:13+00:00

I have created a simple HTML web page with the following code:

<a href="mailto:<your-email-address>" title="">email-address</a>

I have hosted this app on localhost. With the help of ngRok i have integrated my website  on Microsoft teams tab app. Now I am able to see my application in Microsoft 365 as well.  If I open app, it loads successfully. But After clicking on my email address, 

I see a console error: Refused to frame '' because it violates the following Content Security Policy directive: "frame-src ".  Note that '' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme  matches self's scheme. The scheme 'mailto:' must be added explicitly.

Here is my CSP on config file:

<add name="Content-Security-Policy" value="default-src: 'self'; frame-src mailto:;" />

I tried adding mailto: to frame-ancestor as well. That didn't help.

Microsoft 365 and Office | Install, redeem, activate | For business | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-02-27T07:26:11+00:00

    Eben-Ezer Tres MSFT I have tried your suggestion by adding 'self' to frame-src. That didn't help.

    Here is my config file details:

    <?xml version="1.0" encoding="UTF-8"?>

    <configuration> 

    &lt;system.webServer&gt; 

	&lt;httpProtocol&gt; 

        &lt;customHeaders&gt; 

            &lt;add name="Content-Security-Policy" value="default-src: 'self'; frame-src 'self' mailto:;" /&gt; 

        &lt;/customHeaders&gt; 

    &lt;/httpProtocol&gt; 

    &lt;defaultDocument&gt; 

        &lt;files&gt; 

            &lt;remove value="index.htm" /&gt; 

            &lt;remove value="iisstart.htm" /&gt; 

            &lt;remove value="default.aspx" /&gt; 

            &lt;remove value="Default.asp" /&gt; 

            &lt;remove value="Default.htm" /&gt; 

        &lt;/files&gt; 

    &lt;/defaultDocument&gt; 

&lt;/system.webServer&gt;

    </configuration>

    I tried deleting, publishing and reinstalling the app. Also i tried restarting the IIS. Nothing worked.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2024-02-27T06:45:38+00:00

    Hi @Praveen Patel G

    Dear Chris Bears.  Good day! Thank you for posting to the Microsoft Community. We are happy to help you!Given your question about creating a HTML web page, and the current forum channel you're posting focuses on Microsoft 365 for Business, especially Exchange Online builds. Therefore, in order to get further dedicated technical support and assistance, to help you better and not waste more time, it is recommended to publish a new thread on the Microsoft Q&A forum with a Microsoft 365 tag https://learn.microsoft.com/en-us/answers/tags/ . Dedicated support engineers there specialize in work related to HTML and will provide you with further assistance with your current goals/deployments.

    In the same time i have do some research also via this link: https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout?pivots=b2c-user-flow 

    i think try to modify your CSP directive to explicitly allow the "mailto:" scheme. Here's what you can do:

    1. Update your CSP header value to include the "mailto:" scheme. You can adjust your CSP directive to allow the "mailto:" scheme as follows: 
    &lt;add name="Content-Security-Policy" value="default-src 'self'; frame-src 'self' mailto:;"&gt;

    By adding mailto: to the frame-src directive, you explicitly permit the loading of resources using the "mailto:" scheme within frames.

    1. Ensure that your CSP settings are correctly applied within your application configuration files. Make sure that the updated CSP header is being delivered by your web server to the client's browser.
    2. After making these changes, restart your web server, refresh your web application in the Microsoft Teams tab, and then try clicking on the email address link. This should allow the "mailto:" scheme to work within your web application without triggering the CSP violation error.

    By explicitly adding the "mailto:" scheme to the CSP directive, you are instructing the browser to allow resources with that scheme to be loaded within your application. if the above step does not work, please contact the dedicated team, they have more knowledge and focus on that kind of issue.

    It is recommended to publish a new thread on the Microsoft Q&A forum with a Microsoft 365 tag https://learn.microsoft.com/en-us/answers/tags/ . Dedicated support engineers there specialize in work related to HTML and will provide you with further assistance with your current goals/deployments.  Thanks in advance for your understanding! Your patience and cooperation will be highly appreciated. Hope you all the best! Sincerely,

    Eben | Microsoft Community Moderator

    Was this answer helpful?

    0 comments
  3. Anonymous
    2024-02-26T09:09:23+00:00

    Hello Praveen Patel G

    Good day. Thank for posting in the community.

    We've received your query and you can expect to receive response from one of our community moderator accordingly.

    At this point, we appreciate your patience and cooperation. Thank you.

    Sincerely,

    Community moderator

    Was this answer helpful?

    0 comments