Very interested in the Office Preview functionality, but have some security questions...



  • We're getting ready to implement JSReports into our environment and stumbled upon the Office Preview feature.. it's amazing! The team loves it enough to make it a priority in implementation. However, we have tight security restraints that need to be accounted for before we can take the leap. So, with that said...

    • When a report is generated and stored on servers outside of our control, where are they stored? Is there an SLA available for the servers holding this data?
    • What is the exact name of the Microsoft service being used to render this data? Based on the description it sounds like any reports rendered this way are going to be stored on Microsoft servers for an undisclosed amount of time so we're going to need an SLA for that service as well.
    • Is there a way this can be configured to run through a O365 or Microsoft Online account that we own and operate?

    We sincerely appreciate the hard work that's gone into this product, it's the best reporting solution we've ever used!



  • Thank you for your interest in jsreport

    We have some documentation regarding this topic here
    https://jsreport.net/learn/office-preview

    Our server doesn't provide any SLA for office preview, but you can configure preview to upload office files to your server.
    This must be a public server so office online can reach it.
    I am not sure if office online servers stores this file, probably don't.
    I don't think they have SLA, it is a public service and we have experienced quite some problems with stability.
    I don't know what services O365 provides regarding Office Online.
    Do you have some experiences here?
    We would be happy to help to push it through.



  • So hosting on our side is great, we're likely going to take that route - thanks for the suggestion.

    I have a few years of experience working not only in security, but also with various support teams at Microsoft. What I need to do before we can do this is verify within a reasonable level of certainty that Microsoft does absolutely nothing with data pushed to or through this service. Many services like this often boast their offering as "free", but hide the true purpose of the service deep inside chapters long policies and agreements. A great example of this is the AWS-SES service that, while no FREE, is a very cheap method of managing email. What they hid in their SLA for this service is that every single email sent or received through that service is scanned by their side for any malware, but they don't mention if the data is or is not stored on any databases they own. This becomes a pretty big problem when dealing with client data sent or received through the service.

    Do you know the exact name of the service you're using to render the reports in Office formats through JSReports? Is it an offering through Office365 or Microsoft Live? Do you have a link?



  • I understand one must be careful with these services. We provide this feature only for reports preview which typically includes just mock data and we also warn users about making reports public for a moment.

    This office preview service was renamed several times and I don't see the original documents. Everything redirects now to https://office.com
    We were integrating this several years ago. Many things changed since then. We will probably need to review this.
    Our integration is simple, we upload a report file to our public server and us an iframe with URL https://view.officeapps.live.com/op/view.aspx?src=thereporturl.xlsx.



  • Just so you know - I tend to be a bit overcautious at times, this issue being no exception. It's very possible that everything is perfectly fine with this service and there's nothing to be concerned with. I definitely don't want to suck the wind out of anyone's sails when considering this feature, it's a very cool, very useful feature I think everyone would benefit from implementing.

    I've committed to carving out some time next week to dig deeper into all of this with Microsoft. I'll drop a line here (one way or the other) whenever I wrap up that work. I very much appreciate the information you've provided above, Jan, it'll definitely reduce the amount of time I'd spend hunting around for initial leads!



  • Sorry for the extended delay in replying to this topic, been a pretty hectic month so far.

    I don't have any great news, more like neutral news. I've been in several conversations with Microsoft support that are still ongoing and it seems like there isn't any explicit documentation tied to this service. What this means is that it's a "use at your own risk" service right now that has absolutely no guarantees of uptime, availability, security, or otherwise.

    While this is pretty unfortunate (I hate not having firm word one way or the other) we still plan on moving forward with using the service, but plan on implementing some warnings around its use that indicate these shortcomings in a user-friendly way. This should be enough to satisfy any security concerns that bubble up due to the implementation of this feature.



Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.