Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CORS issue ?
#1
Hi All,

I am trying to open a site (some intranet) into an TIWUrlWindow, but I am not able to see it. Chrome console shows:
Refused to frame 'http://anhost.mydomain.com:8880/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Is that server refusing to be iFramed ? I already followed Jose Nilton's post about headers injection.

Code:
void __fastcall TIWServerController::IWServerControllerBaseAfterDispatch(THttpRequest *Request,
          THttpReply *aReply)
{

    aReply->AddHeader("Content-Security-Policy",
      "default-src "       + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "frame-src "         + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "script-src "        + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "style-src "         + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + "; " +
      "img-src "           + System::Sysutils::QuotedStr("self") + " http: data:; " +
      "object-src "        + System::Sysutils::QuotedStr("self") + "; " +
      "media-src "         + System::Sysutils::QuotedStr("self") + " http:; " +
      "frame-ancestors "   + System::Sysutils::QuotedStr("self") + " http:; " +
      "base-uri "          + System::Sysutils::QuotedStr("self") + " http:");

   aReply->AddHeader("Access-Control-Allow-Origin", "*");


Thank You

/Claudio

Hmmm..... Does not makes sense tweaking IW side. Even turning off headers injection the error still the same, so it seems just their policy.....
Reply
#2
CORS is very tricky. But first start by enabling the EnableCORS property in the ServerController and see if it helps.
Reply
#3
Hi, if you have control to the other site, remove header: X-Frame-Options. If you don't have control, they doesn't any one show his site in a frame.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)