AdaptiveCard video media blocked from loading by media-src CSP on Outlook Web
Hey,
I’m having an issue with viewing videos on Outlook Web added to an AdaptiveCard then sent to a recipient. The send works, the adaptive card comes through correctly with all the appropriate IDs, I can see the video and the thumbnail. I’ve verified this using the “Actionable Messages Debugger” add-in on both Outlook Desktop and Outlook Web.
The problem is when viewing the message from my inbox on Outlook Web, I click the video, it goes to load and is blocked by the CSP policy for outlook.office.com. The video plays correctly from the Outlook desktop client.
Refused to load media from <server> because it violates the following Content Security Policy directive: “media-src blob: *.res.office365.com *.cdn.office.net *.df.onecdn.static.microsoft *.public.onecdn.static.microsoft *.sharepoint-df.com *.skype.com *.office.net *.office365.net *.office365-net.us *.office.com ‘self’ *.yammer.com *.engage.cloud.microsoft attachments.office.net attachment.outlook.live.net *.sharepoint.com”.
The video itself is hosted on an app service in Azure whose domain name is not listed above. I would expect the video to work regardless of where it’s hosted though (within reason).
To my knowledge this is a relatively new issue because AdaptiveCard videos used to load on Outlook Web without CSP interference. If anyone has any insight it would be appreciated. Thanks
Hey,I’m having an issue with viewing videos on Outlook Web added to an AdaptiveCard then sent to a recipient. The send works, the adaptive card comes through correctly with all the appropriate IDs, I can see the video and the thumbnail. I’ve verified this using the “Actionable Messages Debugger” add-in on both Outlook Desktop and Outlook Web. The problem is when viewing the message from my inbox on Outlook Web, I click the video, it goes to load and is blocked by the CSP policy for outlook.office.com. The video plays correctly from the Outlook desktop client. Refused to load media from <server> because it violates the following Content Security Policy directive: “media-src blob: *.res.office365.com *.cdn.office.net *.df.onecdn.static.microsoft *.public.onecdn.static.microsoft *.sharepoint-df.com *.skype.com *.office.net *.office365.net *.office365-net.us *.office.com ‘self’ *.yammer.com *.engage.cloud.microsoft attachments.office.net attachment.outlook.live.net *.sharepoint.com”. The video itself is hosted on an app service in Azure whose domain name is not listed above. I would expect the video to work regardless of where it’s hosted though (within reason). To my knowledge this is a relatively new issue because AdaptiveCard videos used to load on Outlook Web without CSP interference. If anyone has any insight it would be appreciated. Thanks Read More