FileMaker Server / WebDirect / cors

We got a small FileMaker solution for filling data into a form. Simple database, one page. Users can access that form via webdirect.
Windows 2016 Server located in a DMZ (Demilitarized Zone), FMS18.04

To get the data into the local system (LAN only, no direct access from outside the company, home-office users are on VMWare Horizon), we get the data via API-calls to the forms-server into the local fms solution

So far, so good...
But the company's CISO tested the FMS and found a leak 'Cross-origin resources sharing: arbitrary origin trusted' and wants us to fix that. The path for the culprit is /fmi/webd/PUSH

I believe that we as FM developers can do nothing in this game - but I do not know enough about cors

Does anybody have expierience with that?

Thank You so much for any help, tips, suggestions

1 Like

An involved script requests resources from another domain (cross-origin means from a different domain). It is a common technique that gets flagged when a same-origin policy is enforced.
The author of the concerned java script should look into that.

https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

1 Like

Yes - but can we deal with this in any way from FMS? Does not FileMaker handle this whole thing?

Sorry, I forgot the word ‘Java’.

1 Like

I asked some IT-/security specialists (true ones, serious ones) and at least one was aware of that specific problem. In a hospital where some of the administration-staff wanted a webdirect solution, webdirect was not allowed because of this issue. Seems not to be an easy one (cors)

Means that webdirect seems not to be secure enough in some environment.

A solution would be to install a reverse proxy. My knowledge is by far not good enough )-:

But how was that quote from Johnny Mnemonic? - 'You got to be pretty technical, these days'...

@Markus ,

I googled "FileMaker CORS" and found:

How to enable CORS on FileMaker Server — FileMaker Community (claris.com)

In this case the OP wishes to send an image from a container to a server hosted on a different domain. Trying to do so he got CORS error. Seems the contact is in the opposite way, from external to FMS.

I think @FabriceN may help you. Hi Fabrice I see that you provided answers to a CORS question on another forum. Do you have suggestions for the OP ? Thanks !

1 Like

Thank You!

I've found that posting as well - opposit way, we have to disable cors, what seem to be enabeled by default. I'm afraid that - if enabeled by fms - cors might be important for some processes inside FMS

I am not sure CORS is turned on by FMS, I think I have read the converse.

As far as I understand CORS is setup at the Web server, IIS, Apache, etc.

1 Like

well.. in our case, it's turned on - and since there is no setting...

Could be, that -if there is a general setting on IIS- it was turned on by so e other component. This behavior (not turned on by FMS) is part of my question

Is there something else hosted on the fms' IIS? Was the webserver set up before fms and someone has installed activated cors?

1 Like

No, nothing else AFAIK. I was 'on site' during the first install - but that was not FMS 18.04...

Will try to find out. Would be good if we could test another FMS18 install (without having anything else installed) and check that one. I do not know with what software they checked..

See CORS Enabled - W3C Wiki Explains how to enable CORS on IIS 6 and 7.

Google for "iis cors" if this page doe not help.

1 Like

just a report...

  • during FMS16, it was necessary to activate cors to have some functionality in webd when using webviewers.

  • with FMS18, this is no longer needed, FMS seems to have cors enabeled

  • we will try to enable cors on IIS and restrict it to the own domain. But we have to wait for a meeting with the CISO of that company first

What is CORS (very simple)?
By default, web browser will block requests that target info from a foreign domain. CORS let us define some of those foreign domains to get 'white-listed' (or all, using a *)

A quote from a senior Project Manager of a bigger software company (not FM..)

"cors is something that allows me to use resources that are outside of my 'garden'. For that, I got technicans. And a CISO who kills all of that ASAP"

1 Like

Release Notes for FMS 19.3...

  • In FileMaker WebDirect, the following security enhancements have been made:
    • adding trusted domains to an allow list is enabled when using cross-origin resource sharing (CORS)
    • directory listing on the web server has been turned off

(-:

2 Likes