Cross Origin requests for Shibboleth IDP v4.2

[Herron, Joel D]

Then you might be looking at a samesite issue. Which again is one of those catch 22s depending on how you feel about old safari users.

--Joel

From: users <users-bounces at shibboleth.net> on behalf of prasanna cg via users <users at shibboleth.net>
Date: Monday, August 29, 2022 at 11:00 AM
To: Cantor, Scott <cantor.2 at osu.edu>
Cc: prasanna cg <prasannacgin at yahoo.in>, Shib Users <users at shibboleth.net>
Subject: Re: Cross Origin requests for Shibboleth IDP v4.2
EXTERNAL EMAIL
Thanks for correcting me, Scott. I verified and we are NOT blocking third party cookies in the browser. All cookies are chosen to be allowed. And reg the IDP config, below is how my “idp.properties” looks where we had already overridden the idp.frameoptions and idp.csp properties with null (no value). Isn't this a workaround ? If no, Isn't there any other way to get around ?

# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
#idp.frameoptions = DENY
idp.frameoptions =
# Content-Security-Policy value, set to match X-Frame-Options default
#idp.csp = frame-ancestors 'none';
idp.csp =


— Prasanna



On Aug 29, 2022, at 7:47 PM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:

That's not a cross-oirign issue in the usual sense, it's a "We don't support frames and block them by default" issue, or it's simply down to you blocking third party cookies in your browser.

The idp.frameoptions and idp.csp properties control the headers that block frame handling, and we do not recommend changing them.

-- Scott


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220829/b5776def/attachment.htm>