Hi Ahmad,
It's recommended to keep this header but you could do better using a Content-Security-Policy as says the site
https://www.fastly.com/blog/headers-we-dont-want
<<Some of the tools that audit your site will tell you to add an |X-Frame-Options| header with a value of ‘SAMEORIGIN’. This tells browsers that you
are refusing to be framed by another site, and is generally a good defense against clickjacking <https://en.wikipedia.org/wiki/Clickjacking>. However,
the same effect can be achieved, with more consistent support and more robust definition of behaviour, by doing:|
Content-Security-Policy: frame-ancestors 'self'|
This has the additional benefit of being part of a header (CSP) which you should have anyway for other reasons (more on that later). So you can
probably do without |X-Frame-Options| these days.>>
I'll soon review our headers even if we have not much things to change. We can't OOTB apply a CSP policy and it should be applied when you deploy in
production
HTH
Jacques
Le 17/05/2018 à 10:37, Aditya Sharma a écrit :
Hi Ahmad,
It is due to x-frame-options.
Refer this thread https://ofbiz.markmail.org/thread/fvpybyfk6x7afrrg for
better insights.
HTH
Thanks and Regards,
*Aditya Sharma* | Enterprise Software Engineer
HotWax Commerce <http://www.hotwax.co/> by HotWax Systems
<http://www.hotwaxsystems.com/>
<https://www.linkedin.com/in/aditya-sharma-78291810a/>
On Thu, May 17, 2018 at 1:32 PM Ahmad Rabab’ah <araba...@bi-bst.com> wrote:
Hello Dears , ,
How can I solve the cross origin issue with ofbiz ?
Error :
Failed to load
http/localhost:4334/myportal/control/login?USERNAME=admin&PASSWORD=ofbiz:
Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:4200' is therefore not allowed access.
Best Regards,
Ahmad Rbab’ah
Java Developer