Cross Origin requests for Shibboleth IDP v4.2

Herron, Joel D herronj at
Mon Aug 29 16:18:44 UTC 2022

Then you might be looking at a samesite issue. Which again is one of those catch 22s depending on how you feel about old safari users.


From: users <users-bounces at> on behalf of prasanna cg via users <users at>
Date: Monday, August 29, 2022 at 11:00 AM
To: Cantor, Scott <cantor.2 at>
Cc: prasanna cg <prasannacgin at>, Shib Users <users at>
Subject: Re: Cross Origin requests for Shibboleth IDP v4.2
Thanks for correcting me, Scott. I verified and we are NOT blocking third party cookies in the browser. All cookies are chosen to be allowed. And reg the IDP config, below is how my “” looks where we had already overridden the idp.frameoptions and idp.csp properties with null (no value). Isn't this a workaround ? If no, Isn't there any other way to get around ?

# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
#idp.frameoptions = DENY
idp.frameoptions =
# Content-Security-Policy value, set to match X-Frame-Options default
#idp.csp = frame-ancestors 'none';
idp.csp =

— Prasanna

On Aug 29, 2022, at 7:47 PM, Cantor, Scott <cantor.2 at<mailto:cantor.2 at>> wrote:

That's not a cross-oirign issue in the usual sense, it's a "We don't support frames and block them by default" issue, or it's simply down to you blocking third party cookies in your browser.

The idp.frameoptions and idp.csp properties control the headers that block frame handling, and we do not recommend changing them.

-- Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list