CORS white listing

Hi OME team,

I’m looking to set up the CORS facility per: https://docs.openmicroscopy.org/omero/5.5.1/sysadmins/unix/install-web.html#setting-up-cors
The origin site has a number of (subdomain) hosts that can originate the requests and I noticed the CORS_ORIGIN_REGEX_WHITELIST option in the django-cors-headers docs. Is that option carried forward to OMERO.web? Or will I need to list them one by one in the omero.web.cors_origin_whitelist setting?

Thanks,
Damir

Only CORS_ORIGIN_WHITELIST (omero.web.cors_origin_whitelist) and CORS_ORIGIN_ALLOW_ALL (omero.web.cors_origin_allow_all) are recognised by OMERO.web 5.5.1:

However there’s an additional option that lets you add arbitrary Django settings:
https://docs.openmicroscopy.org/omero/5.5.1/sysadmins/config.html#omero-web-django-additional-settings

Something along the lines of
omero config append omero.web.django_additional_settings '["CORS_ORIGIN_REGEX_WHITELIST",["<regex>"]]'
may work

Thanks Simon. I’ll give that a try.
Cheers,
Damir

Hi Simon,
I first tried to get the CORS stuff going with regular white listing and ran into the issue that OMERO.web wants Django<1.9 and django-cors-headers requires Django>1.11. OMERO.web will not start, neither with Django 1.8.19 nor with Django 1.11.24. So I’ll have to revert. Any ideas?
Thanks,
Damir

Try version 2.4.1 https://github.com/adamchainz/django-cors-headers/blob/2.4.1/README.rst

If OMERO.web isn’t starting pip might have upgraded some other dependency leading to a broken set of packages. If so recreating the virtualenv is the easiest option.

Thanks Simon. No problems with the 2.4.1 version.
Damir

Hi Simon,

A quick follow-up. Now that I have CORS set up, I am bumping into the next hurdle: I want the other server to display one of the OMERO viewers in an iFrame. And now I get in the browser console:

Refused to display ‘https://lincs.ohsu.edu/webclient/login/?url=%2Fwebgateway%2Fimg_detail%2F4000808%2F’ in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.

I see that there is a config option called: omero.web.x_frame_options that defaults to “sameorigin” but I have no idea what to change it to to allow that other server to display the viewer in an iFrame. Can you help?

Thanks,
Damir

See the docs from Mozilla: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Unfortunately it looks like it’s not as easy as expected. It can be set to allow-from https://example.com/ but Chrome and Safari don’t support this option, and in any case it only supports a single domain.

The current recomendation seems to be to replace X-Frame-Options with Content-Security-Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

I’ve added an OMERO.web issue: https://github.com/ome/omero-web/issues/21

In the meantime I don’t have an easy solution. You could try completely removing the X-Frame-Options header by disabling the middleware that adds it (django.middleware.clickjacking.XFrameOptionsMiddleware):

omero config set omero.web.middleware '[{"index": 1, "class": "django.middleware.common.BrokenLinkEmailsMiddleware"}, {"index": 2, "class": "django.middleware.common.CommonMiddleware"}, {"index": 3, "class": "django.contrib.sessions.middleware.SessionMiddleware"}, {"index": 4, "class": "django.middleware.csrf.CsrfViewMiddleware"}, {"index": 5, "class": "django.contrib.messages.middleware.MessageMiddleware"}]'

The default setting is here: https://github.com/ome/omero-web/blob/v5.5.dev2/omeroweb/settings.py#L382-L397

Alternatively you could try installing django-csp, add it to omero.web.apps, and configuring it with omero.web.django_additional_settings. If you do this let us know if it works.