web.config change

web.config

@@ -65,6 +65,45 @@
       </staticContent>
     </system.webServer>
   </location>
+  <!--
+    MSAL v5 redirect bridge requirements (https://aka.ms/msal.js/redirect-bridge):
+    1. Must NOT be served with Cross-Origin-Opener-Policy headers. If COOP is present on
+       the bridge page, the browser performs a browsing context group swap that severs the
+       BroadcastChannel communication channel back to the main application, causing
+       ERR_BLOCKED_BY_RESPONSE when the popup navigates to the AAD login endpoint.
+       The <remove> tag strips any COOP header added by Azure infrastructure globally.
+       The explicit unsafe-none value ensures no COOP is present even after clearing.
+    2. Must be served with Cache-Control: no-store. The bridge page carries auth codes
+       and tokens in its URL — caching by a CDN or proxy would expose those credentials.
+  -->
+  <location path="redirectBridge.html">
+    <system.webServer>
+      <staticContent>
+        <clientCache cacheControlMode="DisableCache" />
+      </staticContent>
+      <httpProtocol>
+        <customHeaders>
+          <remove name="Cross-Origin-Opener-Policy" />
+          <add name="Cross-Origin-Opener-Policy" value="unsafe-none" />
+          <add name="Cache-Control" value="no-store" />
+        </customHeaders>
+      </httpProtocol>
+    </system.webServer>
+  </location>
+  <location path="mpac/redirectBridge.html">
+    <system.webServer>
+      <staticContent>
+        <clientCache cacheControlMode="DisableCache" />
+      </staticContent>
+      <httpProtocol>
+        <customHeaders>
+          <remove name="Cross-Origin-Opener-Policy" />
+          <add name="Cross-Origin-Opener-Policy" value="unsafe-none" />
+          <add name="Cache-Control" value="no-store" />
+        </customHeaders>
+      </httpProtocol>
+    </system.webServer>
+  </location>
   <location path="mpac/explorer.html">
     <system.webServer>
       <staticContent>