Skip to main content

Support Article

Error in iFrame - No 'Access-Control-Allow-Origin' header



Pega application is launched in the iFrame of a different web application using Pega Single Sign-On (SSO) URL that is configured as SAMLAuth in web.xml file. Error occurs when this web application makes a POST method call for SSO.

Error Messages

1. Error when web application makes a POST method call for SSO:

Access to XMLHttpRequest at 'https://XXXXX/prweb/sso' from origin 'https://XXXXX' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

2. Redirect was blocked for CORS request:

XMLHttpRequest: Network Error 0x2ef1, Could not complete the operation due to error 00002ef1.

Steps to Reproduce

  1. Create an SAMLAuth Authentication service data instance.
  2. Add a custom Authentication activity in SAMLAuth to perform autherization.
  3. Update the Dynamic System Settings (DSS) http/responseHeaders

    {"X-XSS-Protection":"1; mode=block","X-Content-Type-Options":"no-sniff","X-Frame-Options":"SAMEORIGIN", "X-Frame-Options":"ALLOW-FROM https://webuiapplication url"}
  4. Configure Pega SSO URL in the web application to launch the Pega application in its iFrame.
  5. Click the Pega SSO URL from the web application.

Root Cause

For Error 1:

The application was accessed using prweb or SSO URL call which is not a REST call. Pega only performed CORS validation for REST calls and sent the headers for the REST calls.

AJAX request validate for CORS is performed by the browser.

For Error 2:

CORS header was configured incorrectly. CORS allowed only two defined header types (authorization and content-type). While, in the Request header, three more Request headers were present, that is, accept, x-auth-token, and x-request-id under the Access-Control-Request-Headers.


Perform the following local change:

For Error 1: 

Use a non-AJAX request.
For Error-2:

Add accept, x-auth-token, and x-request-id to the CORS allowed header.
Suggest Edit

Published July 23, 2019 - Updated August 16, 2019

Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us