Angular-auth-oidc-client: Safari blocked a frame with origin ....

Hi @pyotreq you need to allow this on the server Try configuring the CORS

Greetings Damien

Hi, thank you for your response.
I have added below XML to web.config.
<httpProtocol> <customHeaders> <add name="X-Frame-Options" value="ALLOWALL" /> </customHeaders> </httpProtocol>
and in response I have header X-Frame-Options: AllowAll.

I also tried 'ALLOW-FROM https://xyz.azurewebsites.com' but Safari doesn't recognize ALLOW-FROM (https://erlend.oftedal.no/blog/tools/xframeoptions/).

First and second solution don't work on Safari, though in Azure portal and IDS Startup.cs I added CORS configuration and everything works on Chrome, Opera, Vivaldi, IE, Edge.

Edit: I'm testing with Safari, v. 10.1.2

Thanks for the info.

OK, I'll do some testing with Safari , version 9.1.3

Did you load your web app within an iframe on a different domain?
This could also be fixed with PR #68

I have two web apps:

• Angular Web App (for instance: https://myangular.azurewebsites.net).
• Identity Server (for instance: https://myids.azurewebsites.net).

The iframe is added by OIDC Client to Angular: <iframe id="myiFrameForCheckSession" src="https://myids.azurewebsites.net/connect/checksession" style="display: none;"></iframe>

So yes, it's a different domain.

OK, I will check #68. Thank you for your response.

Oh no that is a different problem then.
I guess it is the CORS settings on your Identity Server.

Note on X-FRAME-OPTIONS (RFC 7034)

• To allow "all" request the header should not be set all. "AllowAll" is not a valid value.
• ALLOW-FROM is not supported by all major browsers (see here)

Can you check if there are X-Frame-Options served by your Identity Server for the checksession IFrame, because the checksession iframe is intended to be loaded on other sites it should not have the header set.
For other sites like the login site it should not be possible to load it in an IFrame on a different domain at all, so not sending the header globally for your whole Identity Server is not a good solution.

Version with fix from @NilsEngelbach is now released: 1.3.12

https://www.npmjs.com/package/angular-auth-oidc-client

Thank you for your response and help.

Can you check if there are X-Frame-Options served by your Identity Server for the checksession IFrame

Identity Server doesn't send X-Frame-Options, but probably default value is _SAMEORIGIN_. I think it is _SAMEORIGIN_ because if I change X-FRAME-OPTIONS (for instance: X-FRAME-OPTIONS = _MY_X-FRAME-VALUE_) and not restart the app then I will get message similar to "You have two values for X-FRAME-OPTIONS: _SAMEORIGIN_ and _MY_X-FRAME-VALUE_".

I've updated package to 1.3.12 and still it doesn't work.

I want to allow my angular site to display checksession IFrame. I can not use:

• X-FRAME-OPTIONS because Safari doesn't accept ALLOW-FROM.
• https://content-security-policy.com because Safari doesn't accept frame-ancestors.

So, does other solution exist?

Like i said, the new version will not fix your issue, and i also think you should not have to set any headers manually, because integrating the checksession iframe in websites on other domains is what is basically intended for.
Are you running your Identityserver behind a proxy that adds Headers or something?

Have you checked your Client Configuration on the IdentityServer, especially "AllowedCorsOrigins" property?
http://docs.identityserver.io/en/release/reference/client.html?highlight=AllowedCorsOrigins

Yes, I have configured AllowedCorsOrigins in IdentityServer.

Ok guys, it seems that everything works. I've changed token's lifetime to 10 seconds and I get new token per 10s despite the same error ("_blocked a frame with origin ..._"). It is just a logDebug that can be ignored. Log is created by line -> https://github.com/damienbod/angular-auth-oidc-client/blob/fb366c47a9af7998e6ff18308576d2cdf1e3f9ad/src/services/oidc.security.check-session.ts#L63. It means that I get error per 3 seconds.

So, my bad, my apologizes. Thank you very much for your time and help :)

@pyotreq Oh good point, i think there should also be a check if window.parent is accessible, like i did for silent renew...

So @damienbod can we close this one?