CORS white listing

Hi OME team,

I’m looking to set up the CORS facility per:
The origin site has a number of (subdomain) hosts that can originate the requests and I noticed the CORS_ORIGIN_REGEX_WHITELIST option in the django-cors-headers docs. Is that option carried forward to OMERO.web? Or will I need to list them one by one in the omero.web.cors_origin_whitelist setting?


Only CORS_ORIGIN_WHITELIST (omero.web.cors_origin_whitelist) and CORS_ORIGIN_ALLOW_ALL (omero.web.cors_origin_allow_all) are recognised by OMERO.web 5.5.1:

However there’s an additional option that lets you add arbitrary Django settings:

Something along the lines of
omero config append omero.web.django_additional_settings '["CORS_ORIGIN_REGEX_WHITELIST",["<regex>"]]'
may work

Thanks Simon. I’ll give that a try.

Hi Simon,
I first tried to get the CORS stuff going with regular white listing and ran into the issue that OMERO.web wants Django<1.9 and django-cors-headers requires Django>1.11. OMERO.web will not start, neither with Django 1.8.19 nor with Django 1.11.24. So I’ll have to revert. Any ideas?

Try version 2.4.1

If OMERO.web isn’t starting pip might have upgraded some other dependency leading to a broken set of packages. If so recreating the virtualenv is the easiest option.

Thanks Simon. No problems with the 2.4.1 version.

Hi Simon,

A quick follow-up. Now that I have CORS set up, I am bumping into the next hurdle: I want the other server to display one of the OMERO viewers in an iFrame. And now I get in the browser console:

Refused to display ‘’ in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.

I see that there is a config option called: omero.web.x_frame_options that defaults to “sameorigin” but I have no idea what to change it to to allow that other server to display the viewer in an iFrame. Can you help?


See the docs from Mozilla:

Unfortunately it looks like it’s not as easy as expected. It can be set to allow-from but Chrome and Safari don’t support this option, and in any case it only supports a single domain.

The current recomendation seems to be to replace X-Frame-Options with Content-Security-Policy

I’ve added an OMERO.web issue:

In the meantime I don’t have an easy solution. You could try completely removing the X-Frame-Options header by disabling the middleware that adds it (django.middleware.clickjacking.XFrameOptionsMiddleware):

omero config set omero.web.middleware '[{"index": 1, "class": "django.middleware.common.BrokenLinkEmailsMiddleware"}, {"index": 2, "class": "django.middleware.common.CommonMiddleware"}, {"index": 3, "class": "django.contrib.sessions.middleware.SessionMiddleware"}, {"index": 4, "class": "django.middleware.csrf.CsrfViewMiddleware"}, {"index": 5, "class": "django.contrib.messages.middleware.MessageMiddleware"}]'

The default setting is here:

Alternatively you could try installing django-csp, add it to omero.web.apps, and configuring it with omero.web.django_additional_settings. If you do this let us know if it works.