Atozed Forums
CORS issue ? - Printable Version

+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: CORS issue ? (/thread-2613.html)

CORS issue ? - duffo64 - 01-08-2022

Hi All,

I am trying to open a site (some intranet) into an TIWUrlWindow, but I am not able to see it. Chrome console shows:
Refused to frame 'http://anhost.mydomain.com:8880/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Is that server refusing to be iFramed ? I already followed Jose Nilton's post about headers injection.

Code:
void __fastcall TIWServerController::IWServerControllerBaseAfterDispatch(THttpRequest *Request,
          THttpReply *aReply)
{

    aReply->AddHeader("Content-Security-Policy",
      "default-src "       + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "frame-src "         + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "script-src "        + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + " " + System::Sysutils::QuotedStr("unsafe-eval") + "; " +
      "style-src "         + System::Sysutils::QuotedStr("self") + " http: " + System::Sysutils::QuotedStr("unsafe-inline") + "; " +
      "img-src "           + System::Sysutils::QuotedStr("self") + " http: data:; " +
      "object-src "        + System::Sysutils::QuotedStr("self") + "; " +
      "media-src "         + System::Sysutils::QuotedStr("self") + " http:; " +
      "frame-ancestors "   + System::Sysutils::QuotedStr("self") + " http:; " +
      "base-uri "          + System::Sysutils::QuotedStr("self") + " http:");

   aReply->AddHeader("Access-Control-Allow-Origin", "*");


Thank You

/Claudio
Hmmm..... Does not makes sense tweaking IW side. Even turning off headers injection the error still the same, so it seems just their policy.....

RE: CORS issue ? - kudzu - 01-09-2022

CORS is very tricky. But first start by enabling the EnableCORS property in the ServerController and see if it helps.

RE: CORS issue ? - Jose Nilton Pace - 01-10-2022

Hi, if you have control to the other site, remove header: X-Frame-Options. If you don't have control, they doesn't any one show his site in a frame.