CORS issue ?

<< Click to Display Table of Contents >>

Navigation:  Forum >

CORS issue ?

Forum link

 

 

01-08-2022, 07:47 AM:

 

Hi All,

 

I am trying to open a site (some intranet) into an TIWUrlWindow, but I am not able to see it. Chrome console shows:

 

Refused to frame 'http://anhost.mydomain.com:8880/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

 

Is that server refusing to be iFramed ? I already followed Jose Nilton's post about headers injection.

 

Code:

 

void __fastcall TIWServerController::IWServerControllerBaseAfterDispatch(THttpRequest *Request,

 

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  THttpReply *aReply)

 

{

 

&nbsp;&nbsp;&nbsp;&nbsp;aReply->AddHeader("Content-Security-Policy",

 

&nbsp;&nbsp;&nbsp;&nbsp;  "default-src "     &nbsp;&nbsp;+ System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +

 

&nbsp;&nbsp;&nbsp;&nbsp;  "frame-src "       &nbsp;&nbsp;+ System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +

 

&nbsp;&nbsp;&nbsp;&nbsp;  "script-src "        + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +

 

&nbsp;&nbsp;&nbsp;&nbsp;  "style-src "       &nbsp;&nbsp;+ System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + "; " +

 

&nbsp;&nbsp;&nbsp;&nbsp;  "img-src "         &nbsp;&nbsp;+ System::Sysutils::QuotedStr("self") + " http: data:; " +

 

&nbsp;&nbsp;&nbsp;&nbsp;  "object-src "        + System::Sysutils::QuotedStr("self") + "; " +

 

&nbsp;&nbsp;&nbsp;&nbsp;  "media-src "       &nbsp;&nbsp;+ System::Sysutils::QuotedStr("self") + " http:; " +

 

&nbsp;&nbsp;&nbsp;&nbsp;  "frame-ancestors " &nbsp;&nbsp;+ System::Sysutils::QuotedStr("self") + " http:; " +

 

&nbsp;&nbsp;&nbsp;&nbsp;  "base-uri "          + System::Sysutils::QuotedStr("self") + " http:");

 

 &nbsp;&nbsp;aReply->AddHeader("Access-Control-Allow-Origin", "*");

 

 

 

Thank You

 

/Claudio

 

 

 

Hmmm..... Does not makes sense tweaking IW side. Even turning off headers injection the error still the same, so it seems just their policy.....

 

 

01-09-2022, 12:44 AM:

 

CORS is very tricky. But first start by enabling the EnableCORS property in the ServerController and see if it helps.

 

 

01-10-2022, 01:08 PM:

 

Hi, if you have control to the other site, remove header: X-Frame-Options. If you don't have control, they doesn't any one show his site in a frame.