Request to enable cross-site in our forms

replied on March 13, 2019

Modifying application code to add CORS headers is unnecessary. Most likely that suggestion is a blanket suggestion that assumes you have control of your website code rather than hosting a pre-made product.

Modifying Forms code (except for JS on forms) is not supported. Forms does not set default CORS headers. However, they can be inherited from the root of the website in IIS and the server settings.

CORS headers can be added to any website through IIS: https://enable-cors.org/server_iis7.html See also Microsoft documentation. You probably want to narrow down your origin to the 3rd party website rather than going with the "*" setup that allows anybody to use your Forms site.

X-frame-options are not the same as the CORS headers.

3 0

replied on March 8, 2019 • Show version history

Did they provide an example of the error they are getting?

We have a public-facing instance of Forms and I've never had any issue embedding it in an iframe in sites hosted on different servers.

0 0

View 3 previous replies

replied on March 8, 2019

Here is what they provided. I agree, not sure what all this talk about cross-origin is, I can put any site into an iFrame regardless of it's origin. We need to put a cap on the amount of new terminology generated per year in this industry.

"Blocked a frame with origin "siteURL" from accessing a cross-origin frame."

Thanks for your reply and for sending the dev console. It's very useful. Looks like your site has Cross-Origin Request Blocked. This means the website can only be displayed in the Same Origin domain. You might want to consult your Website developer on how to allow CORS or Cross-origin resource sharing on your website so it can be displayed within another site (ie. our player iframe).

0 0

replied on March 8, 2019 • Show version history

That doesn't sound right.

Some sites, like Google, won't display in a frame at all, but Forms isn't configured that way by default.

Are they only trying to display the form, or maybe they are trying to run JavaScript code against the form content, because that would make a big difference.

UPDATE: I'm 90% sure that specific error is the result of trying to run JavaScript on the contents of the frame, not CORS. If that is the case, then there's nothing you can change on your end because that is browser-level security.

0 0

replied on March 11, 2019

There is javascript in the form itself. They are just trying to view the form through a preview window from the third-party website, like an iFrame or a pop-up. It is for signage software, that puts web pages up on TV screens around the shop. The reason for the preview window is just to make it look just as it might on the TV, in case there is any display problems.

0 0

replied on March 11, 2019

JavaScript within the form should run fine, that error only comes up if the "parent" page tries to execute JavaScript on the contents of the frame.

If they were simply loading the form URL in the frame and not running JavaScript, then it shouldn't generate that specific error at all.

A totally different error comes up when you try to load a page that doesn't allow itself to be displayed in a cross-origin frame, like this

0 0

replied on March 11, 2019

I am not sure what would prompt their window to decide to run javascript on our site only. I will see what I can find out tomorrow when I am back onsite. Thanks for looking into this!

0 0

replied on March 11, 2019

Is it possible that the form's javascript has something that tries to perform actions on window.top or anything like that? Something like that could cause the issue as well.

0 0

Question

Question

Request to enable cross-site in our forms

Replies

Sign in to reply to this post.