Atozed Forums

Full Version: CORS issue ?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi All,

I am trying to open a site (some intranet) into an TIWUrlWindow, but I am not able to see it. Chrome console shows:
Refused to frame 'http://anhost.mydomain.com:8880/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Is that server refusing to be iFramed ? I already followed Jose Nilton's post about headers injection.

Code:
void __fastcall TIWServerController::IWServerControllerBaseAfterDispatch(THttpRequest *Request,
          THttpReply *aReply)
{

    aReply->AddHeader("Content-Security-Policy",
      "default-src "       + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "frame-src "         + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "script-src "        + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "style-src "         + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + "; " +
      "img-src "           + System::Sysutils::QuotedStr("self") + " http: data:; " +
      "object-src "        + System::Sysutils::QuotedStr("self") + "; " +
      "media-src "         + System::Sysutils::QuotedStr("self") + " http:; " +
      "frame-ancestors "   + System::Sysutils::QuotedStr("self") + " http:; " +
      "base-uri "          + System::Sysutils::QuotedStr("self") + " http:");

   aReply->AddHeader("Access-Control-Allow-Origin", "*");


Thank You

/Claudio

Hmmm..... Does not makes sense tweaking IW side. Even turning off headers injection the error still the same, so it seems just their policy.....
CORS is very tricky. But first start by enabling the EnableCORS property in the ServerController and see if it helps.
Hi, if you have control to the other site, remove header: X-Frame-Options. If you don't have control, they doesn't any one show his site in a frame.