2. About me
• SharePoint Server MVP since
2008
• Blog : http://www.silver-it.com
• @stephaneeyskens
3. Poll Who has already developed Apps for Customers?
Who has deployed an App to the Office Store?
Who has used CORS in a real-world project?
4. Take Away
CORS is your
friend
SharePoint X-
DOM Libraries
do not make
X-DOM calls
HTML5 is
your friend
too
Everything is a question of HTTP Headers in the
end
10. Same-Origin
Policy
Workaround
#3
Using a reverse proxy
PROS
• Works with every browser
• Possibility to forward
authentication credentials
using SiteMinder.
• Transparent auth if SSO is
available
• No coding effort
CONS
• More an onprem
solution
• Enterprise RP usually
not available on dev
boxes
16. HTML5 PostMessage API
PROS
• Fast as a rocket
• Partially supported by
all the browsers
• Authentication is
handled by the
browser
CONS
• IFRAMES are set to
same-origin by SP
OOTB
• Security Risks involved
• Hard to maintain
18. HTML5
PostMessage
API Recap
• Remove x-frame-options or allow
explicit origins
• In code, check the origin of the
sender
• SharePoint 2013 makes already use
of this API in CustomActions &
Popup windows
19. Same-Origin
Policy
Workaround
#6
SharePoint # Domain Libraries
PROS
• OOTB
CONS
• Only usable in Apps
• Only targeting SharePoint
OOB endpoints in an
authenticated manner.
Provider-Hosted Apps
cannot do both CSOM &
JSOM at the same time
• Non OOTB endpoints must
be registered in
AppManifest & are called
anonymously
22. Same-Origin
Policy
Workaround
#8
CORS
PROS
• Granular control on the
server
• Possibility to forward
authentication
credentials
• Emerging standard
(recently enabled on
Azure Storage)
CONS
• Requires IE 10+
• Requires configuration
efforts on the server
• Currently, not possible
to enable CORS on
o365
24. CORS Config
Recap
• Add the necessary HTTP Response Headers
• Use either a Reverse Proxy, a custom HTTP
Module, a rewriter engine to deal with the
headers
• Use the Max-Age attribute to cache preflight
request.
• When using Access-Control-Allow-
Credentials you can’t use * as Allowed Origin
27. How to
consume
Claims Aware
WCF Services
hosted outside
of SharePoint?
• Make the WCF Claims Aware, create
a cert, add it to the WCF bindings,
export it
• Trust the cert in SP
• Use the SharePoint API
(SPChannelFactoryOperations.Creat
eChannelActingAsLoggedOnUser)
• Not working with Cross-Domain Libs
• Not working with CORS (oops)
• Need to implement a custom proxy
28. Alternative to
CORS
Create your own REST endpoints
PROS
• Accessible from Apps
• Can be used together
with SP # domain
libraries
• Well integrated to SP
CONS
• OnPrem only
• Hard
31. Summary
• Cross Domain Libraries are not the only
option
• All the other options work with and without
Apps
• With Apps, some approaches « bypasses »
the App Security Model
• Extending REST endpoints is hard but
facilitates authentication aspects