Having issues with CORS/CSP with multiple domains

Discussion in 'General' started by Standish, Jul 10, 2018.

  1. Standish

    Standish New Member


    I have a website with 4 domains, one for each language. It uses Wordpress and WPML. The page builder is using an iFrame to preview the page content, on their own domain.

    I tried to add in my .htaccess
    - Header Set Content-Security-Policy frame-ancestors https://DOMAIN1.com https://DOMAIN2.com (with and without https)
    - Header Set Content-Security-Policy frame-src https://DOMAIN1.com https://DOMAIN2.com (with and without https)
    - Header set Access-Control-Allow-Origin "*"

    But it still does not work.

    This is an easy code I used to reproduce the issues :

    <iframe id="elementor-preview-iframe" src="https://DOMAIN2.COM/test.txt" allowfullscreen="1"></iframe>
    <button onclick="document.getElementById('elementor-preview-iframe').contentWindow.print();">Test</button>

    When I call https://DOMAIN1.COM/script.html and click on the button, I have :
    Uncaught DOMException: Blocked a frame with origin "https://DOMAIN1.COM" from accessing a cross-origin frame.

    When I call it from DOMAIN2.COM/script.html, everything works as expected.

    Do you have any clues?
  2. Pong

    Pong Well-Known Member Staff Member

    Is your WordPress a multi-site setup? Domain1.com and domain2.com pointing to the same virtual host? If so, you can set header on the same .htacess for the same virtual host. Otherwise, make sure set header on domain1.com virtual host and domain2.com virtual host.

    Also check your domain page for headers to see if they are ok, if not, then the correct header may not be set on that domain yet.
  3. Standish

    Standish New Member

    It's not a multisite, they are in the same virtual host.
    If I inspect the query, I can see that the header are set correctly on both domains, but they are just not applied.
    This is why I created a simple 2 lines PHP script to test it (to be sure I control all headers since WP manipulate them by itself). Even using this script, I can see that the script headers (and the iframe target headers) we identical during my tests.
  4. Pong

    Pong Well-Known Member Staff Member

    If the headers are correct, then it means there is no issue on setting CORS on LSWS and it doesn't seem a LiteSpeed Web Server related question.
    You should ask yourself: Does you proposed 'Access-Control-Allow-Origin "*" ' header fix iframe issue? doesn't seem like according to some post like the following( it saying: iframe Same-origin policy
    Not to be confused with CORS!). You may need to consult Iframe specialist/forum.
    Last edited: Jul 10, 2018

Share This Page