How to solve IE Iframe SharePoint context issue using P3P Policy

Introduction

While working with provider hosted apps, one faces the problem of SharePoint Context; when trying to open the app in Internet explorer in an iframe. In this situation, when trying to build the SharePoint context, the issue ‘object not set to an instance of an object’ is encountered. This means that the SharePoint context is not getting built, and when trying to use its properties, an error is being displayed.

Observation

This problem arises when the application is open in iframe; while trying to build SharePoint Context in code, so that one can get the client context and then perform operations.

• When the provider-hosted application runs, a window with appredirect.aspx opens. It registers the application and provides an app token which will be used to authenticate the application running on the remote server to SharePoint. This token is sent in the request attribute in Httpcontext. The request contains form values and query string.
• When appredirect.aspx is opened, the app tokens are sent in Form values; and then,  SharePoint context is stored in the session of the browser and we get the context from the session for subsequent requests.

Root Cause

The issue crops up when the application runs in Internet Explorer in the iframe. IE gives least trust to the Iframe pages, so it doesn’t store the session of it in the browser cache. And, as there is no session for the application in the browser, one doesn’t get the SharePoint Context from the session. When this happens, the program interprets it as the first request and it tries to build session from the request. Here the request neither has form values, nor the query string which contains the app tokens. So SharePoint Context is not able to build and it throws an exception with the ‘object not set to an instance of an object’ message.

Opted Alternatives

Two available solutions are as follows:

1. Get the app authorized each time when making a call to SharePoint.
2. Force Internet Explorer 10 (IE 10) to store session of Iframe in the cache.

1. Get the app authorized each time when making a call to SharePoint:  For this, one authorizes the app every time a call to the server is made. There are two ways to do this:
   1. From security certificate (not for O365): Attach a server certificate in the header of every request you make to the server. To do so, add the server certificates in SharePoint to authenticate the request and send the response data accordingly. This is only possible when using the provider-hosted app in On-premises SharePoint.
      This approach is not applicable to O365 as there is no provision to add server certificates there.
   2. From app tokens (OAuth tokens): After the app tokens are returned from server in the first request, store them in DOM  and use these tokens to make requests to the server. To do this, append the tokens in the request as a query string. These tokens will help the token helper class to get OAuth tokens from the query string.
2. Force IE to store session of Iframe in the cache (Currently implemented): In this approach, one authenticates the pages in Iframe to Internet Explorer with P3P headers (Platform for Privacy Preference Project) which define the privacy policy of these pages. By this, IE understands that this page is not a harmful page and its session data can be stored without any issue. To add a P3P header, go to web.config file and add this code in Configuration tag

   <system.webServer>    
       <httpProtocol>
         <customHeaders>
           <add name="p3p" value="CP=&quot;IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT&quot;"/>
         </customHeaders>
       </httpProtocol>
     </system.webServer>

   [Note: One can ideally opt for above given SharePoint Context solutions – OAuth or Session in different scenarios like performance intensive or limited time usage. Session alternative provides required performance whereas in case of long term and constant usage of application, OAuth can serve the purpose, so it is advised to use them as per application needs]

Meaning of P3P Header values

IDC: Identifiable Contact Information; access is given to identified online and physical contact information (e.g., users can access things such as a postal address)

DSP: Privacy policy containing DISPUTES elements.

COR: This service provides remedies for errors occurring with the connection

ADM: Information may be used for technical support of the Web site and its computer system. Users cannot opt-in or opt-out of this usage.

DEVi: Information may be used to enhance, evaluate, or review the site, service, product, or market. Opt-in means prior consent must be provided by users.

TAIi: Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. Opt-in means prior consent must be provided by users.

PSA: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for the purpose of research, analysis, and reporting but it will not be used in an attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage.

PSD: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used in an attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage.

IVAi: Information may be used to determine habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis, and reporting. Opt-in means prior consent must be provided by users.

IVDi: Information may be used to determine habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects related individual. Opt-in means, prior consent must be provided by users.

CONi: Information may be used to contact an individual through a communications channel other than voice telephone for the promotion of a product or service. This includes notifying visitors about updates to the Website. Opt-in means, prior consent must be provided by users.

HIS: Information may be archived or stored for the purpose of preserving social history as governed by an existing law or policy. Users cannot opt-in or opt-out of this usage.

OUR: Ourselves, entities acting as our agents, and entities for whom we are acting as an agent.

IND: Information is retained for an indeterminate period of time. The absence of a retention policy would be reflected in this option. Where the recipient is some public fora, this is the appropriate retention policy.

CNT: Words and expressions contained in a body of communication — such as the text of the email, bulletin board postings, or chat room communications.