Allow configuration of CORS policy settings to access homepage from within iframe #2359
Replies: 2 comments
-
I moved this to a FR, I dont think its a bug. To do this we would most certainly have to make the CORS policy configurable to avoid just making it wide-open. But it's not so simple because our app doesnt just load within the iframe it makes its own fetch calls, thats what CORS blocks and IIRC you cant just allow all domains for authenticated requests. I'd happily accept a PR, but I have limited interest personally in working on this, I think the demand is small and frankly, CORS stuff is not fun to fight with or test. |
Beta Was this translation helpful? Give feedback.
-
This discussion has been automatically closed due to lack of community support. See our contributing guidelines for more details. |
Beta Was this translation helpful? Give feedback.
-
Description
After speaking with phelps through discord he advised me to open this request.
I am running a swag container (nginx reverse proxy) as well as an organizr container (centralized site management) and I am attempting to add homepage to my organizr tabs as an iframe.
Upon adding the iframe to organizr, when trying to access homepage I receive the following errors:
Access to XMLHttpRequest at 'https://my.homepage.url' from origin 'https://my.organizr.url'has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Steps to reproduce
Accessing the page via organizr with homepage as an iframe is when the error occurs.
homepage version
v0.8.0
Installation method
Docker
Configuration
No response
Container Logs
No response
Browser Logs
No response
Troubleshooting
After researching online I found a suggestion to try adding the following header:
add_header Access-Control-Allow-Origin "$http_origin" always;
This generates a new error below:
Access to XMLHttpRequest at 'https://my.homepage.url' from origin 'https://my.organizr.url'has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
So just as a test I added
if ($request_method = 'OPTIONS') {
return 204
{
Access to XMLHttpRequest at 'https://my.homepage.url' from origin 'https://my.organizr.url' has been blocked by CORS policy: Request header field formkey is not allowed by Access-Control-Allow-Headers in preflight response.
I'm honestly completely out of the loop when it comes to CORS, so I'm not even sure where to begin troubleshooting farther other than trying what suggestions I've found online thus far.
I originally ran across homepage from a random reddit post from about 10 months ago where a couple of users had added homepage to their organizr setups, which is what prompted me to attempt it for myself. I'm not sure if something changed since their posts, and have not heard back from them if they encountered any issues when adding it to their setups.
Other
No response
Before submitting, I have made sure to
Beta Was this translation helpful? Give feedback.
All reactions