Cross Origin requests for Shibboleth IDP v4.2

prasanna cg prasannacgin at
Mon Aug 29 15:58:17 UTC 2022

Thanks for correcting me, Scott. I verified and we are NOT blocking third party cookies in the browser. All cookies are chosen to be allowed. And reg the IDP config, below is how my “” looks where we had already overridden the idp.frameoptions and idp.csp properties with null (no value). Isn't this a workaround ? If no, Isn't there any other way to get around ?

# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
#idp.frameoptions = DENY
idp.frameoptions =
# Content-Security-Policy value, set to match X-Frame-Options default
#idp.csp = frame-ancestors 'none';
idp.csp =

— Prasanna

> On Aug 29, 2022, at 7:47 PM, Cantor, Scott <cantor.2 at> wrote:
> That's not a cross-oirign issue in the usual sense, it's a "We don't support frames and block them by default" issue, or it's simply down to you blocking third party cookies in your browser.
> The idp.frameoptions and idp.csp properties control the headers that block frame handling, and we do not recommend changing them.
> -- Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list