how to best set up cross origin allow

VirgilioPalmi

Hello, Lately I've been seeing a lot of integrations from other websites of the maps that are published by ArcGIS Enterprise.

it seems that lately the Web security levels are restricting two important options
Allow cross origin and frame ancestors

to allow the origins is it right to leave IIS without any configuration and write the accepted domains in the appropriate section of the Portal under the heading Security Allow Origin?

regarding any incorporations in iframes of other sites it seems that the Portal does not allow any settings, in this case is it right to enable frameancestors in IIS?

Thanks
Virgilio

JeffSmith

Hi @VirgilioPalmi
Regarding the CORS request - yes, I'd recommend leaving IIS without any configuration and adding specific domains to the list of "Allow origins" inside Portal under Organization > Security.

Regarding the frame-ancestors, we added the ability to define content-security-policy headers for the /home and /apps endpoints in the 11.4 release. The /home app has the frame-ancestors CSP enabled by default. The CSP for /apps is empty by default but adding the frame-ancestors can be easily done. If you are using an earlier release, you can add the frame-ancestors CSP header through IIS but you may need to limit it to /home or /apps depending on your existing apps or services.