Hi Ahmad,
It's recommended to keep this header but you could do better using a Content-Security-Policy as says the site
https://www.fastly.com/blog/headers-we-dont-want<<Some of the tools that audit your site will tell you to add an |X-Frame-Options| header with a value of ‘SAMEORIGIN’. This tells browsers that you
are refusing to be framed by another site, and is generally a good defense against clickjacking <
https://en.wikipedia.org/wiki/Clickjacking>. However,
the same effect can be achieved, with more consistent support and more robust definition of behaviour, by doing:|
Content-Security-Policy: frame-ancestors 'self'|
This has the additional benefit of being part of a header (CSP) which you should have anyway for other reasons (more on that later). So you can
probably do without |X-Frame-Options| these days.>>
I'll soon review our headers even if we have not much things to change. We can't OOTB apply a CSP policy and it should be applied when you deploy in
production
HTH
Jacques
Le 17/05/2018 à 10:37, Aditya Sharma a écrit :
> Hi Ahmad,
>
> It is due to x-frame-options.
>
> Refer this thread
https://ofbiz.markmail.org/thread/fvpybyfk6x7afrrg for
> better insights.
>
> HTH
>
> Thanks and Regards,
>
> *Aditya Sharma* | Enterprise Software Engineer
> HotWax Commerce <
http://www.hotwax.co/> by HotWax Systems
> <
http://www.hotwaxsystems.com/>
>
> <
https://www.linkedin.com/in/aditya-sharma-78291810a/>
>
>
> On Thu, May 17, 2018 at 1:32 PM Ahmad Rabab’ah <
[hidden email]> wrote:
>
>> Hello Dears , ,
>>
>> How can I solve the cross origin issue with ofbiz ?
>> Error :
>>
>> Failed to load
>> http/localhost:4334/myportal/control/login?USERNAME=admin&PASSWORD=ofbiz:
>> Response to preflight request doesn't pass access control check: No
>> 'Access-Control-Allow-Origin' header is present on the requested resource.
>> Origin '<a href="http://localhost:4200'">http://localhost:4200' is therefore not allowed access.
>>
>> Best Regards,
>>
>> Ahmad Rbab’ah
>> Java Developer
>>
>>
>>
>>
>>
>>
>>
Locked
