Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Error in iFrame - No 'Access-Control-Allow-Origin' header

SA-84744

Summary



Pega application is launched in the iFrame of a different web application using Pega Single Sign-On (SSO) URL that is configured as SAMLAuth in web.xml file. Error occurs when this web application makes a POST method call for SSO.


Error Messages



1. Error when web application makes a POST method call for SSO:

Access to XMLHttpRequest at 'https://XXXXX/prweb/sso' from origin 'https://XXXXX' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

2. Redirect was blocked for CORS request:

XMLHttpRequest: Network Error 0x2ef1, Could not complete the operation due to error 00002ef1.


Steps to Reproduce

  1. Create an SAMLAuth Authentication service data instance.
  2. Add a custom Authentication activity in SAMLAuth to perform autherization.
  3. Update the Dynamic System Settings (DSS) http/responseHeaders

    {"X-XSS-Protection":"1; mode=block","X-Content-Type-Options":"no-sniff","X-Frame-Options":"SAMEORIGIN", "X-Frame-Options":"ALLOW-FROM https://webuiapplication url"}
     
  4. Configure Pega SSO URL in the web application to launch the Pega application in its iFrame.
  5. Click the Pega SSO URL from the web application.


Root Cause



For Error 1:

The application was accessed using prweb or SSO URL call which is not a REST call. Pega only performed CORS validation for REST calls and sent the headers for the REST calls.

AJAX request validate for CORS is performed by the browser.

For Error 2:

CORS header was configured incorrectly. CORS allowed only two defined header types (authorization and content-type). While, in the Request header, three more Request headers were present, that is, accept, x-auth-token, and x-request-id under the Access-Control-Request-Headers.


Resolution



Perform the following local change:

For Error 1: 

Use a non-AJAX request. For Error-2:

Add accept, x-auth-token, and x-request-id to the CORS allowed header.

Tags:

Pega Platform 7.4 Pega Platform Platform

Published August 17, 2019 - Updated December 2, 2021

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve?
Suggest an edit
Report a Pega Community bug

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice