Embedding a small app in Wix

carloscz25 · February 20, 2025, 4:43pm

Hi,

I am embedding in an IFRAME an app. With CUBA I get no errors. With Jmix I get a message saying the hosting domain has rejected the connection.

I presume there is some sort of restriction. Can I bypass it or are there any legal restrictions?
I don’t see any errors in the output of the app either. So have no clue where to go about.

EDIT: After a while I noticed in the chrome console the server is setting x-frame-options to sameorigin. So that seems to be the issue. However I previously set the jmix.cors.allowed-origins to ‘*’. But this has apparently no effect.

Thanks for any guidance.

Regards,
Carlos.

pinyazhin · February 21, 2025, 10:45am

Hello!

You should specify the CSP frame-ancestor directive for your Jmix application, since X-FRAME-OPTIONS is deprecated.

Take a look at this topic:

carloscz25 · February 25, 2025, 9:48pm

I solved if after many attempts with this class code. I am well aware I need to refine some security levels in order to bring this to a production environment. In case you have any suggestions that can save me some time I will gladly welcome them

Many thanks.

package com.domusvcs.clientes.security;


import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.header.HeaderWriter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@Configuration
//@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {





    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //http.headers().contentSecurityPolicy("frame-ancestors https://*.[domain].com https://[domain].com");
        //super.configure(http);
        //http.headers().contentSecurityPolicy(secPolicy -> secPolicy.policyDirectives("frame-ancestors [domain].com"));

        http
                .csrf().disable()

                .authorizeRequests()
                .antMatchers("/**").permitAll()
                .anyRequest().authenticated();
                //.disable()  // Disable CSRF if necessary (use with caution)


        http
                .headers().frameOptions().disable()
                .addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy",
                        "default-src https://*.[domain].com:* https://[domain].com:*;" +
                                "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://[domain].com:* http://[domain].com:* https://www.[domain].com:*;" +
                                "style-src 'self' 'unsafe-inline' https://[domain].com:* http://[domain].com:* https://www.[domain].com:*;" +
                                "frame-src https://[domain].com:* https://[domain].com:*;"));

        //super.configure(http);
//        http.headers().frameOptions().sameOrigin();
//        http.headers().addHeaderWriter(new HeaderWriter() {
//            @Override
//            public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
//                response.setHeader("Content-Security-Policy",
//                        "default-src 'self'; " +
//                                "style-src 'self' 'unsafe-inline' https://*;" +
//                                "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*;" +
//                                "frame-ancestors 'self' https://*;");
//            }
//        });
    }
}

Beware of the many commented out lines.

Regards,
Carlos.