From 473114f0a3f25c980b12847a284a9bee74645a0f Mon Sep 17 00:00:00 2001 From: Gavin Barron Date: Wed, 8 Jul 2026 10:16:25 -0700 Subject: [PATCH] fix: route signed-out sandbox proxy to graphexplorer.microsoft.com Update the signed-out Storybook sandbox proxy to use https://graphexplorer.microsoft.com/api/proxy. MockMiddleware now returns this URL directly, removing the graph.office.net endpoint discovery, fallback, and sessionStorage caching. CSP connect-src allowlists for the main site and the code-editor playground iframe are updated to allow the new host and drop the old office.net hosts. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../addons/codeEditorAddon/codeAddon.js | 2 +- .storybook/post-process-index-file.js | 2 +- .../mgt-element/src/mock/MockMiddleware.ts | 37 ++----------------- 3 files changed, 5 insertions(+), 36 deletions(-) diff --git a/.storybook/addons/codeEditorAddon/codeAddon.js b/.storybook/addons/codeEditorAddon/codeAddon.js index 885b4ad423..0d9fd37968 100644 --- a/.storybook/addons/codeEditorAddon/codeAddon.js +++ b/.storybook/addons/codeEditorAddon/codeAddon.js @@ -254,7 +254,7 @@ export const withCodeEditor = makeDecorator({ content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; - connect-src https://graph.microsoft.com https://graph.microsoft.us https://dod-graph.microsoft.us https://graph.microsoft.de https://microsoftgraph.chinacloudapi.cn https://canary.graph.microsoft.com https://login.microsoftonline.com https://cdn.graph.office.net https://graph.office.net 'self'; + connect-src https://graph.microsoft.com https://graph.microsoft.us https://dod-graph.microsoft.us https://graph.microsoft.de https://microsoftgraph.chinacloudapi.cn https://canary.graph.microsoft.com https://login.microsoftonline.com https://graphexplorer.microsoft.com 'self'; img-src 'self' data: blob: https://*.microsoft.com https://*.microsoftonline.com https://*.sharepoint.com https://*.office.com https://*.office365.com https://*.windows.net; font-src 'self' https://static2.sharepointonline.com; frame-src https://login.microsoftonline.com 'self'; diff --git a/.storybook/post-process-index-file.js b/.storybook/post-process-index-file.js index dcfb467d24..5997e3ab03 100644 --- a/.storybook/post-process-index-file.js +++ b/.storybook/post-process-index-file.js @@ -60,7 +60,7 @@ function addCspTag(filePath) { ' ' )} 'self';style-src 'report-sample' 'unsafe-inline' ${styleHashes.join( ' ' - )} 'self';font-src static2.sharepointonline.com 'self';connect-src https://cdn.graph.office.net https://graph.office.net https://login.microsoftonline.com https://graph.microsoft.com https://mgt.dev 'self';img-src data: https: 'self';frame-src https://login.microsoftonline.com 'self';default-src 'self'; base-uri 'self'; upgrade-insecure-requests; form-action 'self';report-to https://csp.microsoft.com/report/MGT-Playground" + )} 'self';font-src static2.sharepointonline.com 'self';connect-src https://graphexplorer.microsoft.com https://login.microsoftonline.com https://graph.microsoft.com https://mgt.dev 'self';img-src data: https: 'self';frame-src https://login.microsoftonline.com 'self';default-src 'self'; base-uri 'self'; upgrade-insecure-requests; form-action 'self';report-to https://csp.microsoft.com/report/MGT-Playground" />`; const updatedHtmlDocument = htmlDocument.replace( //, diff --git a/packages/mgt-element/src/mock/MockMiddleware.ts b/packages/mgt-element/src/mock/MockMiddleware.ts index d1a565dd46..8b5e6e9f76 100644 --- a/packages/mgt-element/src/mock/MockMiddleware.ts +++ b/packages/mgt-element/src/mock/MockMiddleware.ts @@ -6,7 +6,6 @@ */ import { Context, Middleware } from '@microsoft/microsoft-graph-client'; -import { SessionCache, storageAvailable } from '../utils/SessionCache'; /** * Implements Middleware for the Mock Client to escape @@ -24,14 +23,6 @@ export class MockMiddleware implements Middleware { private static _baseUrl: string; - private static _cache: SessionCache; - private static get _sessionCache(): SessionCache { - if (!this._cache && storageAvailable('sessionStorage')) { - this._cache = new SessionCache(); - } - return this._cache; - } - public async execute(context: Context): Promise { try { const baseUrl = await MockMiddleware.getBaseUrl(); @@ -52,7 +43,7 @@ export class MockMiddleware implements Middleware { } /** - * Gets the base url for the mock graph, either from the session cache or from the endpoint service + * Gets the base url for the mock graph. * * @static * @return {string} the base url for the mock graph to use. @@ -60,31 +51,9 @@ export class MockMiddleware implements Middleware { */ public static async getBaseUrl() { if (!this._baseUrl) { - const sessionEndpoint = this._sessionCache?.getItem('endpointURL'); - if (sessionEndpoint) { - this._baseUrl = sessionEndpoint; - } else { - try { - // get the url we should be using from the endpoint service - const response = await fetch('https://cdn.graph.office.net/en-us/graph/api/proxy/endpoint'); - const base: unknown = await response.json(); - if (typeof base !== 'string') { - MockMiddleware.setBaseFallbackUrl(); - } else { - this._baseUrl = base + '?url='; - } - } catch { - // fallback to hardcoded value - MockMiddleware.setBaseFallbackUrl(); - } - this._sessionCache?.setItem('endpointURL', this._baseUrl); - } + this._baseUrl = 'https://graphexplorer.microsoft.com/api/proxy?url='; } - return this._baseUrl; - } - - private static setBaseFallbackUrl() { - this._baseUrl = 'https://graph.office.net/en-us/graph/api/proxy?url='; + return await Promise.resolve(this._baseUrl); } }