Hi all,
I moved to the CEF version (cef_binary_80.0.8+gf96cd1d+chromium-80.0.3987.132_windows64) and I have a problems loading an iframe in my embedded browser.
I load a local page (so file://) and inside I have an iframe that load an external https.
I got this error: "Refused to display 'https://*****' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"."
In my previous version of CEF (cef_binary_3.3538.1852.gcb937fc_windows64) I had no problems.
I always had the "command_line->AppendSwitch("disable-web-security")" and (CefBrowserSettings.web_security = STATE_DISABLED).
In my application I open only "static" and well know pages so the disable of the security is safe.
Any advice? What I can do to have the same behavior of the previus version?
Thanks
Gian
Chromium Embedded Framework Forum
Forum for support and discussion of the Chromium Embedded Framework (CEF)
Visit the CEF Project Site to download CEF and report issues.
CEF iframe CORS issue
12 posts
• Page 1 of 2 • 1, 2
CEF iframe CORS issue
by gianpatt777 » Thu Apr 30, 2020 3:58 pm
- gianpatt777
- Newbie
- Posts: 1
- Joined: Wed Oct 04, 2017 10:49 am
Re: CEF iframe CORS issue
by leeroy » Tue Jun 02, 2020 12:20 am
I believe we're having a very similar issue. We have moved from 3729 -> 4044 (appears to be an issue as early as 3987, possibly 3809) and any cross domain iframe requests appear to be blocked.
There is no specific error message displayed while remote debugging. The request appears to be issued, but just stops without error. We are sending back the correct headers including
I understand there have been some change recently with same origin or cross domain restrictions, but we cannot figure out how exactly we are impacted and how this has stopped serving the iframe.
We have tried adding CefAddCrossOriginWhitelistEntry for the complete domain including subdomain, included the port, didn't include the port, and tried matching any domain with an empty target_domain and nothing seems to stick. We even tried applying the disable-web-security switch and still nothing.
Any pointers would be much appreciated, we're stuck trying to get to the bottom of this.
Cheers
Lee
There is no specific error message displayed while remote debugging. The request appears to be issued, but just stops without error. We are sending back the correct headers including
- Code: Select all
access-control-allow-origin: *
I understand there have been some change recently with same origin or cross domain restrictions, but we cannot figure out how exactly we are impacted and how this has stopped serving the iframe.
We have tried adding CefAddCrossOriginWhitelistEntry for the complete domain including subdomain, included the port, didn't include the port, and tried matching any domain with an empty target_domain and nothing seems to stick. We even tried applying the disable-web-security switch and still nothing.
Any pointers would be much appreciated, we're stuck trying to get to the bottom of this.
Cheers
Lee
- leeroy
- Expert
- Posts: 103
- Joined: Mon Jan 06, 2020 6:27 pm
Re: CEF iframe CORS issue
by leeroy » Tue Jun 02, 2020 12:41 am
I imagine this is related to https://bitbucket.org/chromiumembedded/ ... -not-fully and https://bitbucket.org/chromiumembedded/ ... kcors-with?
- leeroy
- Expert
- Posts: 103
- Joined: Mon Jan 06, 2020 6:27 pm
Re: CEF iframe CORS issue
by magreenblatt » Tue Jun 02, 2020 9:25 am
@Lee: What CEF version specifically are you using? Can you share an example URL that reproduces the problem? Does the problem reproduce with the CEF sample apps? How about Google Chrome at the same version?
- magreenblatt
- Site Admin
- Posts: 12409
- Joined: Fri May 29, 2009 6:57 pm
Re: CEF iframe CORS issue
by leeroy » Tue Jun 02, 2020 12:54 pm
Marshall, currently we are experimenting with 4103. It seems when we run this in the vanilla cefclient/sample app it work fine, so likely something unique we are doing. Also works fine in vanilla chrome 81 and 83. What is weird is this worked fine in 3729. We just recently discovered when we run with the --single-process flag the cross domain iframe work again. Not sure what this means at this point...
I'm going to try and find a public URL we can share here with a cross domain url that has the right headers and will post up.
I'm going to try and find a public URL we can share here with a cross domain url that has the right headers and will post up.
- leeroy
- Expert
- Posts: 103
- Joined: Mon Jan 06, 2020 6:27 pm
Re: CEF iframe CORS issue
by AdishreeM » Thu Oct 29, 2020 12:58 am
Hello, we have recently updated our custom browser to CEF 4183 and have been facing problem loading a web app that uses resources from an internal CDN. The error shown is:
The issue started after this CEF commit: https://bitbucket.org/chromiumembedded/cef/commits/1119d2723c7c
The apps loads properly in our browser when we use "disable-features=OutOfBlinkCors" flag.
It loads without flag in Chromium as well as CefClient. But I didn't find any recent related changes in cefclient.
Can you share some insights to help us understand the problem here?
Access to script at 'https://cdn.*.com/core-communications-angular/2.1.0/core-communications.min.js' from origin 'https:/*.apps.*.com' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check: It does not have HTTP ok status
The issue started after this CEF commit: https://bitbucket.org/chromiumembedded/cef/commits/1119d2723c7c
The apps loads properly in our browser when we use "disable-features=OutOfBlinkCors" flag.
It loads without flag in Chromium as well as CefClient. But I didn't find any recent related changes in cefclient.
Can you share some insights to help us understand the problem here?
- AdishreeM
- Newbie
- Posts: 6
- Joined: Tue Jan 14, 2020 5:23 am
Re: CEF iframe CORS issue
by magreenblatt » Thu Oct 29, 2020 10:17 am
Are you testing with cefclient from the same CEF version as your app?
- magreenblatt
- Site Admin
- Posts: 12409
- Joined: Fri May 29, 2009 6:57 pm
Re: CEF iframe CORS issue
by AdishreeM » Mon Nov 02, 2020 12:37 am
@magreenblatt, yes both have the same version.
- AdishreeM
- Newbie
- Posts: 6
- Joined: Tue Jan 14, 2020 5:23 am
Re: CEF iframe CORS issue
by magreenblatt » Mon Nov 02, 2020 11:50 am
AdishreeM wrote:@magreenblatt, yes both have the same version.
Are you intercepting requests in your application? Are you intercepting the CORS preflight request?
- magreenblatt
- Site Admin
- Posts: 12409
- Joined: Fri May 29, 2009 6:57 pm
Re: CEF iframe CORS issue
by rsharma07 » Mon Mar 08, 2021 1:24 am
Hi everyone, we have updated our browser application to 4324 and we are getting a problem loading of some icons from our internal CDN, this error is related to CORS policy:
We were not getting any problem with this flag "disable-features=OutOfBlinkCors", it seems, it has disabled in CEF now: https://bitbucket.org/chromiumembedded/ ... -not-fully
Running with "--disable-web-security" fixes the problem, but it might create some security issues.
Is there any alternative for this?
Thank you.
Access to font at 'https://cdn.NAME.com/thief-angular/2.18.0/fonts/thief-icons.woff' from origin 'https://*.apps.NAME.com' has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.
We were not getting any problem with this flag "disable-features=OutOfBlinkCors", it seems, it has disabled in CEF now: https://bitbucket.org/chromiumembedded/ ... -not-fully
Running with "--disable-web-security" fixes the problem, but it might create some security issues.
Is there any alternative for this?
Thank you.
- rsharma07
- Techie
- Posts: 17
- Joined: Wed Oct 21, 2020 4:12 am
12 posts
• Page 1 of 2 • 1, 2
Who is online
Users browsing this forum: No registered users and 101 guests