CORS issue ?

[duffo64]

Hi All,

I am trying to open a site (some intranet) into an TIWUrlWindow, but I am not able to see it. Chrome console shows:
Refused to frame 'http://anhost.mydomain.com:8880/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Is that server refusing to be iFramed ? I already followed Jose Nilton's post about headers injection.

Code:

void __fastcall TIWServerController::IWServerControllerBaseAfterDispatch(THttpRequest *Request,
          THttpReply *aReply)
{

    aReply->AddHeader("Content-Security-Policy",
      "default-src "       + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "frame-src "         + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "script-src "        + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "style-src "         + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + "; " +
      "img-src "           + System::Sysutils::QuotedStr("self") + " http: data:; " +
      "object-src "        + System::Sysutils::QuotedStr("self") + "; " +
      "media-src "         + System::Sysutils::QuotedStr("self") + " http:; " +
      "frame-ancestors "   + System::Sysutils::QuotedStr("self") + " http:; " +
      "base-uri "          + System::Sysutils::QuotedStr("self") + " http:");

   aReply->AddHeader("Access-Control-Allow-Origin", "*");

Thank You

/Claudio

---

Hmmm..... Does not makes sense tweaking IW side. Even turning off headers injection the error still the same, so it seems just their policy.....