TRIRIGA

 View Only
  • 1.  Advanced Room Search Add-in issue

    InnerCircle
    Posted Thu July 02, 2020 09:59 AM
    Hello Tririgans -

    Currently we are in process of configuring Reservation module for one of our customer. Part of which we are enabling the Advanced Room Search Add-in which came out as part of 3.6.1/10.6.1. Now are facing problems loading this plugin in web Outlook if X-Frame-Options is set to 'SAMEORIGIN' on the destination TRIRIGA. And below is the error from browser console

    Refused to display 'https://aetnasandbox.oncfi.com/p/web/outlook/roomSearch?et=' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

    This is a standard setting to mitigate XSS/CSS vulnerability which IBM also recommends (Ref: https://www.ibm.com/support/knowledgecenter/SSHEB3_3.6.1/com.ibm.tap.doc/pdfs_wiki/Security_Scan_Checklist.pdf).

    We do not want to remove this 'SAMEORIGIN' option totally but wanted to make this plugin work. Currently we are trying out Access-Control-allow-Origin setting but that has its own limitation. Hence checking if any of you encountered this issue, have any guidance\sugesstions. 

    Appreciate your time & response.


    ------------------------------
    Edwin David
    ------------------------------


  • 2.  RE: Advanced Room Search Add-in issue

    Posted Mon July 20, 2020 11:49 AM
    Great post. Thank you for sharing.

    ------------------------------
    Rosarito Bugania
    ------------------------------



  • 3.  RE: Advanced Room Search Add-in issue

    Posted Mon April 04, 2022 06:44 PM
    yes we are receiving similar issues. 
    Are you using SSO?  Our issue is that we don't control the cookie settings for SSO a bunch of the cookies get blocked and things go bad pretty quickly with authentication.

    We're you able to figure any out on this?

    Bob Nenne

    ------------------------------
    Robert Nenne
    ------------------------------



  • 4.  RE: Advanced Room Search Add-in issue

    Posted Tue April 05, 2022 05:21 PM
    Things have evolved and we are using SP initiated SSO now which is working fine with the Add-in. 
    IBM also made a document update in 3.8 where it was mentioned Add-in would not support SAMEORIGIN (Tri-67094-IJ26069)
    The alternate is to use Content-Security-Policy HTTP header and whitelisting the required domains (in this case office.com/office365.com). This would work along with SAMEORIGIN.

    Hope this helps.

    Thanks
    Edwin

    ------------------------------
    Edwin Premkumar David
    ------------------------------