You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the "Permission justification" fields on the Privacy tab (Partner Center → extension submission) fail with a generic error banner — "Something went wrong while loading this page. Please refresh to try again." — whenever the input contains certain characters or patterns (e.g. https://, http//, or HTML tag syntax like <script>). This generic message gives no indication of what's actually wrong, and can easily be mistaken for a backend/session error (as happened in #640) rather than an input validation issue.
Requested feature:
Add proper client-side (or clearly surfaced server-side) validation feedback for these fields, similar to how the "Single purpose description" field already shows a live character counter. Specifically:
Inline validation messages — if a justification contains disallowed patterns (URL-like substrings, HTML tags, etc.), show a specific message near the field, e.g. "URLs and HTML tags are not allowed in this field," instead of failing the whole page save.
Live constraints shown upfront — document any character limits or disallowed patterns directly under each Permission justification textbox, the same way the Single Purpose Description field shows "421/1000."
Distinguish input errors from backend errors — the generic red banner is currently reused for both real backend failures (like the 403s in 403 Forbidden error when saving — "Something went wrong while loading this page" #640) and simple input validation issues. Separating these would save developers significant debugging time, since right now both look identical and get misdiagnosed as server problems.
Why this matters:
Since permission justifications often need to reference specific domains or URL patterns to properly explain why a host permission is needed (which is exactly what Microsoft's own guidance encourages), it's easy for developers to accidentally include a URL-like string in their justification text and get blocked with no explanation. This adds friction to an already important compliance step, and makes debugging failed submissions much harder than it needs to be.
Supporting findings from testing (extension: AlgoRhythm, Product ID: 1aa0fde7-c29a-4950-aaa8-219ec6672dc6):
Confirmed triggers: https:///http// substrings, <script> tag syntax
Labels: Feature, Partner Center, Edge Addons
Related to: #640
Summary:
Currently, the "Permission justification" fields on the Privacy tab (Partner Center → extension submission) fail with a generic error banner — "Something went wrong while loading this page. Please refresh to try again." — whenever the input contains certain characters or patterns (e.g.
https://,http//, or HTML tag syntax like<script>). This generic message gives no indication of what's actually wrong, and can easily be mistaken for a backend/session error (as happened in #640) rather than an input validation issue.Requested feature:
Add proper client-side (or clearly surfaced server-side) validation feedback for these fields, similar to how the "Single purpose description" field already shows a live character counter. Specifically:
Why this matters:
Since permission justifications often need to reference specific domains or URL patterns to properly explain why a host permission is needed (which is exactly what Microsoft's own guidance encourages), it's easy for developers to accidentally include a URL-like string in their justification text and get blocked with no explanation. This adds friction to an already important compliance step, and makes debugging failed submissions much harder than it needs to be.
Supporting findings from testing (extension: AlgoRhythm, Product ID: 1aa0fde7-c29a-4950-aaa8-219ec6672dc6):
https:///http//substrings,<script>tag syntax