Request for Subresource Integrity (SRI) Hash Support for office.js CDN
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 24%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Rocktim Raj
0
Reputation points
Dear Microsoft Team,
I hope this message finds you well.
We are currently integrating the Office.js library as part of our Outlook Add-in and are referencing it via the official Microsoft CDN, as shown below:
<script type="text/javascript" src="https://appsforoffice.microsoft.com/lib/1.1/hosted/office.js"></script>
As part of our organization’s security practices, we use code analysis tools (e.g., SonarQube) that flag this usage due to the absence of a Subresource Integrity (SRI) hash.
If possible, we kindly request your support on the following:
Providing version-specific URLs for office.js, if not already available.
Offering corresponding official SRI hash values for these versions, so they can be safely referenced with integrity checks.
This would greatly help in aligning with internal compliance requirements while continuing to use the script directly from Microsoft's trusted CDN.
Thank you for your continued support and for the valuable tools and libraries you provide. We truly appreciate your efforts and would be grateful for any guidance or updates on this matter.
Warm regards,
Rocktim Rajkumar
Software Engineer at Procore
Microsoft 365 and Office | Development | Office JavaScript API
Sign in to answer