Community
Select to view content in your preferred language

how to best set up cross origin allow

286
2
06-20-2025 08:08 AM
VirgilioPalmi
by Esri Contributor
Esri Contributor
‎06-20-2025 08:08 AM

Hello, Lately I've been seeing a lot of integrations from other websites of the maps that are published by ArcGIS Enterprise.

it seems that lately the Web security levels are restricting two important options
Allow cross origin and frame ancestors

to allow the origins is it right to leave IIS without any configuration and write the accepted domains in the appropriate section of the Portal under the heading Security Allow Origin?

regarding any incorporations in iframes of other sites it seems that the Portal does not allow any settings, in this case is it right to enable frameancestors in IIS?

Thanks
Virgilio

0 Kudos
2 Replies
JeffSmith
by Esri Contributor
Esri Contributor
‎06-27-2025 10:37 AM

Hi @VirgilioPalmi 
Regarding the CORS request - yes, I'd recommend leaving IIS without any configuration and adding specific domains to the list of "Allow origins" inside Portal under Organization > Security.

Regarding the frame-ancestors, we added the ability to define content-security-policy headers for the /home and /apps endpoints in the 11.4 release.  The /home app has the frame-ancestors CSP enabled by default.  The CSP for /apps is empty by default but adding the frame-ancestors can be easily done.  If you are using an earlier release, you can add the frame-ancestors CSP header through IIS but you may need to limit it to /home or /apps depending on your existing apps or services.

MichaelJenkins
by
Frequent Contributor
3 weeks ago

ArcGIS Enterprise supports cross-origin by  default.  If you add domains to the "Allow Origins" list in Portal, it will LIMIT access to just those domains.

This list doesn't "allow", it "restricts to":

"By default, an ArcGIS Enterprise portal allows cross-domain requests via Cross-Origin Resource Sharing (CORS). This means a JavaScript client such as a web application hosted on any domain can connect to your portal's resources.

To restrict requests from specific domains for JavaScript applications, you can configure your portal to only trust certain domains. You'll do this by adding domain names to the list of allowed origins in your ArcGIS Enterprise portal's security settings. This reduces the possibility that an unknown application could send malicious commands to your web services."

GISP
0 Kudos