Welcome! Log In Create A New Profile

Advanced

SAMEORIGIN vs CORS

Posted by lexgabrees 
SAMEORIGIN vs CORS
June 16, 2020 09:41AM
Hi all,

I'm using nignx in order to serve an application that (can) make use of CORS settings. That means that in the dashboard of the application I can have some settings for restricting CORS to specific domains.

I also have this line in my nginx configuration :

add_header X-Frame-Options SAMEORIGIN;

But I also have these lines :

add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

I understand that x-frame options has to do with being able to load the web application in an iframe or not.

My question is:

Should having CORS set for a certain domain name, enable loading code within the iframe on the domain names set as unrestricted inthe CORS settings? Or in other words: should CORS settings be able to override the x-frame options line for specific domains?

Thanks,
Lex
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 77
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready