We got a small FileMaker solution for filling data into a form. Simple database, one page. Users can access that form via webdirect.
Windows 2016 Server located in a DMZ (Demilitarized Zone), FMS18.04
To get the data into the local system (LAN only, no direct access from outside the company, home-office users are on VMWare Horizon), we get the data via API-calls to the forms-server into the local fms solution
So far, so good...
But the company's CISO tested the FMS and found a leak 'Cross-origin resources sharing: arbitrary origin trusted' and wants us to fix that. The path for the culprit is /fmi/webd/PUSH
I believe that we as FM developers can do nothing in this game - but I do not know enough about cors
An involved script requests resources from another domain (cross-origin means from a different domain). It is a common technique that gets flagged when a same-origin policy is enforced.
The author of the concerned java script should look into that.
I asked some IT-/security specialists (true ones, serious ones) and at least one was aware of that specific problem. In a hospital where some of the administration-staff wanted a webdirect solution, webdirect was not allowed because of this issue. Seems not to be an easy one (cors)
Means that webdirect seems not to be secure enough in some environment.
A solution would be to install a reverse proxy. My knowledge is by far not good enough )-:
But how was that quote from Johnny Mnemonic? - 'You got to be pretty technical, these days'...
In this case the OP wishes to send an image from a container to a server hosted on a different domain. Trying to do so he got CORS error. Seems the contact is in the opposite way, from external to FMS.
I think @FabriceN may help you. Hi Fabrice I see that you provided answers to a CORS question on another forum. Do you have suggestions for the OP ? Thanks !
I've found that posting as well - opposit way, we have to disable cors, what seem to be enabeled by default. I'm afraid that - if enabeled by fms - cors might be important for some processes inside FMS
well.. in our case, it's turned on - and since there is no setting...
Could be, that -if there is a general setting on IIS- it was turned on by so e other component. This behavior (not turned on by FMS) is part of my question
No, nothing else AFAIK. I was 'on site' during the first install - but that was not FMS 18.04...
Will try to find out. Would be good if we could test another FMS18 install (without having anything else installed) and check that one. I do not know with what software they checked..
during FMS16, it was necessary to activate cors to have some functionality in webd when using webviewers.
with FMS18, this is no longer needed, FMS seems to have cors enabeled
we will try to enable cors on IIS and restrict it to the own domain. But we have to wait for a meeting with the CISO of that company first
What is CORS (very simple)?
By default, web browser will block requests that target info from a foreign domain. CORS let us define some of those foreign domains to get 'white-listed' (or all, using a *)
A quote from a senior Project Manager of a bigger software company (not FM..)
"cors is something that allows me to use resources that are outside of my 'garden'. For that, I got technicans. And a CISO who kills all of that ASAP"