Any update on this? Particularly any comment from Microsoft?
Why does Outlook Web media-src CSP block all media not hosted with Microsoft
I'm having an issue with viewing videos added to an AdaptiveCard as a recipient on Outlook Web.
The send works, the adaptive card comes through correctly with all the appropriate IDs, I can see the video, the thumbnail, and I can click "Play" just fine. I've verified this using the "Actionable Messages Debugger" add-in on both Outlook Desktop and Outlook Web.
When you finally click play on the video via Outlook Web, the video itself is blocked by the CSP policy for outlook.office.com. Repeatable on multiple browsers.
*Refused to load media from <server> because it violates the following Content Security Policy directive: "media-src blob: *.res.office365.com *.cdn.office.net *.df.onecdn.static.microsoft *.public.onecdn.static.microsoft *.sharepoint-df.com *.skype.com *.office.net *.office365.net *.office365-net.us *.office.com 'self' *.yammer.com *.engage.cloud.microsoft attachments.office.net attachment.outlook.live.net .sharepoint.com".
The video itself is hosted on an app service in Azure whose domain name is not listed above. I would expect the video to work regardless of where it's hosted though (within reason).
The issue persists even when using the video used in the actual documentation for AdaptiveCards here: Media elements in Adaptive Card
I do understand what the problem is and why it's happening. What I don't understand is why Microsoft has imposed this restriction on their entire online mail platform. Is it really Microsoft's intention to restrict all AdaptiveCard media links opened on Outlook Online to only those hosted on a handful of their own domains?
I'm aware Outlook Online's CSP policy is arbitrary to how AdaptiveCards function, but I suspect many developers and users leveraging AdaptiveCards would expect their media links to function correctly on all forms of Outlook. It frankly feels like a pretty massive restriction and it's surprising at the very least.
Is anyone aware if this CSP policy is new? Is it temporary? Are their plans to change it?
Thanks