Cross Origin requests for Shibboleth IDP v4.2
Herron, Joel D
herronj at uww.edu
Mon Aug 29 16:18:44 UTC 2022
Then you might be looking at a samesite issue. Which again is one of those catch 22s depending on how you feel about old safari users.
From: users <users-bounces at shibboleth.net> on behalf of prasanna cg via users <users at shibboleth.net>
Date: Monday, August 29, 2022 at 11:00 AM
To: Cantor, Scott <cantor.2 at osu.edu>
Cc: prasanna cg <prasannacgin at yahoo.in>, Shib Users <users at shibboleth.net>
Subject: Re: Cross Origin requests for Shibboleth IDP v4.2
Thanks for correcting me, Scott. I verified and we are NOT blocking third party cookies in the browser. All cookies are chosen to be allowed. And reg the IDP config, below is how my “idp.properties” looks where we had already overridden the idp.frameoptions and idp.csp properties with null (no value). Isn't this a workaround ? If no, Isn't there any other way to get around ?
# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
#idp.frameoptions = DENY
# Content-Security-Policy value, set to match X-Frame-Options default
#idp.csp = frame-ancestors 'none';
On Aug 29, 2022, at 7:47 PM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
That's not a cross-oirign issue in the usual sense, it's a "We don't support frames and block them by default" issue, or it's simply down to you blocking third party cookies in your browser.
The idp.frameoptions and idp.csp properties control the headers that block frame handling, and we do not recommend changing them.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users