TRIRIGA

Hello Tririgans -

Currently we are in process of configuring Reservation module for one of our customer. Part of which we are enabling the Advanced Room Search Add-in which came out as part of 3.6.1/10.6.1. Now are facing problems loading this plugin in web Outlook if X-Frame-Options is set to 'SAMEORIGIN' on the destination TRIRIGA. And below is the error from browser console

Refused to display 'https://aetnasandbox.oncfi.com/p/web/outlook/roomSearch?et=' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

This is a standard setting to mitigate XSS/CSS vulnerability which IBM also recommends (Ref: https://www.ibm.com/support/knowledgecenter/SSHEB3_3.6.1/com.ibm.tap.doc/pdfs_wiki/Security_Scan_Checklist.pdf).

We do not want to remove this 'SAMEORIGIN' option totally but wanted to make this plugin work. Currently we are trying out Access-Control-allow-Origin setting but that has its own limitation. Hence checking if any of you encountered this issue, have any guidance\sugesstions. 

Appreciate your time & response.


------------------------------
Edwin David
------------------------------

#TRIRIGA
#AssetandFacilitiesManagement

Great post. Thank you for sharing.

------------------------------
Rosarito Bugania
------------------------------

Original Message:
Sent: Wed July 01, 2020 02:23 PM
From: Edwin David
Subject: Advanced Room Search Add-in issue

Hello Tririgans -

Currently we are in process of configuring Reservation module for one of our customer. Part of which we are enabling the Advanced Room Search Add-in which came out as part of 3.6.1/10.6.1. Now are facing problems loading this plugin in web Outlook if X-Frame-Options is set to 'SAMEORIGIN' on the destination TRIRIGA. And below is the error from browser console

Refused to display 'https://aetnasandbox.oncfi.com/p/web/outlook/roomSearch?et=' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

This is a standard setting to mitigate XSS/CSS vulnerability which IBM also recommends (Ref: https://www.ibm.com/support/knowledgecenter/SSHEB3_3.6.1/com.ibm.tap.doc/pdfs_wiki/Security_Scan_Checklist.pdf).

We do not want to remove this 'SAMEORIGIN' option totally but wanted to make this plugin work. Currently we are trying out Access-Control-allow-Origin setting but that has its own limitation. Hence checking if any of you encountered this issue, have any guidance\sugesstions. 

Appreciate your time & response.


------------------------------
Edwin David
------------------------------

#AssetandFacilitiesManagement
#TRIRIGA

yes we are receiving similar issues. 
Are you using SSO?  Our issue is that we don't control the cookie settings for SSO a bunch of the cookies get blocked and things go bad pretty quickly with authentication.

We're you able to figure any out on this?

Bob Nenne

------------------------------
Robert Nenne
------------------------------

Original Message:
Sent: Wed July 01, 2020 02:23 PM
From: Edwin David
Subject: Advanced Room Search Add-in issue

Hello Tririgans -

Currently we are in process of configuring Reservation module for one of our customer. Part of which we are enabling the Advanced Room Search Add-in which came out as part of 3.6.1/10.6.1. Now are facing problems loading this plugin in web Outlook if X-Frame-Options is set to 'SAMEORIGIN' on the destination TRIRIGA. And below is the error from browser console

Refused to display 'https://aetnasandbox.oncfi.com/p/web/outlook/roomSearch?et=' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

This is a standard setting to mitigate XSS/CSS vulnerability which IBM also recommends (Ref: https://www.ibm.com/support/knowledgecenter/SSHEB3_3.6.1/com.ibm.tap.doc/pdfs_wiki/Security_Scan_Checklist.pdf).

We do not want to remove this 'SAMEORIGIN' option totally but wanted to make this plugin work. Currently we are trying out Access-Control-allow-Origin setting but that has its own limitation. Hence checking if any of you encountered this issue, have any guidance\sugesstions. 

Appreciate your time & response.


------------------------------
Edwin David
------------------------------

#AssetandFacilitiesManagement
#TRIRIGA

Things have evolved and we are using SP initiated SSO now which is working fine with the Add-in. 
IBM also made a document update in 3.8 where it was mentioned Add-in would not support SAMEORIGIN (Tri-67094-IJ26069)
The alternate is to use Content-Security-Policy HTTP header and whitelisting the required domains (in this case office.com/office365.com). This would work along with SAMEORIGIN.

Hope this helps.

Thanks
Edwin

------------------------------
Edwin Premkumar David
------------------------------

Original Message:
Sent: Mon April 04, 2022 06:43 PM
From: Robert Nenne
Subject: Advanced Room Search Add-in issue

yes we are receiving similar issues. 
Are you using SSO?  Our issue is that we don't control the cookie settings for SSO a bunch of the cookies get blocked and things go bad pretty quickly with authentication.

We're you able to figure any out on this?

Bob Nenne

------------------------------
Robert Nenne

Original Message:
Sent: Wed July 01, 2020 02:23 PM
From: Edwin David
Subject: Advanced Room Search Add-in issue

Hello Tririgans -

Currently we are in process of configuring Reservation module for one of our customer. Part of which we are enabling the Advanced Room Search Add-in which came out as part of 3.6.1/10.6.1. Now are facing problems loading this plugin in web Outlook if X-Frame-Options is set to 'SAMEORIGIN' on the destination TRIRIGA. And below is the error from browser console

Refused to display 'https://aetnasandbox.oncfi.com/p/web/outlook/roomSearch?et=' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

This is a standard setting to mitigate XSS/CSS vulnerability which IBM also recommends (Ref: https://www.ibm.com/support/knowledgecenter/SSHEB3_3.6.1/com.ibm.tap.doc/pdfs_wiki/Security_Scan_Checklist.pdf).

We do not want to remove this 'SAMEORIGIN' option totally but wanted to make this plugin work. Currently we are trying out Access-Control-allow-Origin setting but that has its own limitation. Hence checking if any of you encountered this issue, have any guidance\sugesstions. 

Appreciate your time & response.


------------------------------
Edwin David
------------------------------

#TRIRIGA
#AssetandFacilitiesManagement