Debugging in Production

I was given this challenging case today, where I had to change production HTML to figure out what was wrong. I have to confess, it was a try and error approach.

The case

The issue arose by opening a document from SharePoint in an Office application. Office applications authenticate through an embedded browser. Many of you have seen this if SharePoint is secured by ADFS. Every time we reached a specific page, the embedded browser closed and displayed the following error:

Your organization's policies are preventing us from completing this action for you. For more info, please contact your help desk.

A similar issue was posted by a Microsoft security engineer. He resolved the problem by adding an initial src URL to the iframe he was using.

The search for a solution

By following this blog post from Telerik I was able to change production HTML.

  1. Trace the network traffic
  2. At some point, a call to your endpoint is made (for ex. to https://originalhost/customIframe.html)
  3. Create a dummy HTML-file you want to serve instead of the production code (you can copy/paste the production code from the Fiddler trace to this HTML-file)
  4. Right-click on the request – Add new rule
  5. Add a rule similar to the screenshot above

Make sure “Auto Responder” and your rule is active by checking if the toggle is green. Otherwise, you won’t hit the forged HTML-file.

Bonus

I was debugging in the embedded browser of Office. So, no JavaScript console available to see what’s really going on. To conquer this, I had to download Visual Studio 2017 (you find the reason why here), created a web project, attached the debugger to the Office application, and displayed the JavaScript console under Debugging – Window – JavaScript Console.

Conquering the problem

First I tried to render an iframe with a relative URL inside the Office application embedded browser:

<iframe src="/relative/path/logo.png" ></iframe>

This worked.

The following resulted in the error stated above:

<iframe src="https://www.google.com"></iframe>

This led me to the conclusion that iframes with external URLs are not allowed. Alright. If I just knew how to change this behavior. Group policy is not an option since the guests will be external users.

With posting my question to Stackoverflow I ended my day. I would not say successful but at least a little bit wiser.

Leave a Reply