[Bug] CORS configurations doesnt work in Iframe Ohif

[MatheusRdk]

Describe the Bug

Hello. I have a CORS problem in the Viewer. We need to use MPR, but the Cross-origin isolation error appears. More specifically, it only happens when it is in an iframe. It does not occur in isolation.
We have already followed the steps in the documentation to use the viewer in an iframe, but nothing works.
Our server, which opens the viewer in an iframe, is a Java with JSF, and Tomcat.
When deploying to kubernetes, we place the following configurations in ingresses:

    traefik.ingress.kubernetes.io/custom-response-headers: >-
      Access-Control-Allow-Origin: *||Cross-Origin-Opener-Policy:
      same-origin||Cross-Origin-Resource-Policy:
      same-site||Cross-Origin-Embedder-Policy: require-corp

Both on ohif and on the main server, it is the same configuration.

When we use a window.crossOriginIsolated in the browser console, they both return true
and in the ohif source code the cors settings are also set correctly

We have already tried different configurations for both, in different headers, same site, same origin, crossorigin, credentialless, the main domain or * in Access-Control-Allow-Origin, all possibilities. And nothing has worked so far.

I would like some guidance on how to correctly use the iframe, since I followed the documentation directly and it still didn't work.

Thanks in advance.

Steps to Reproduce

1. Install ohif
2. Install a Java with tomcat server and try to render ohif in an iframe
3. Set the Access-Control-Allow-Origin, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy headers in the main application server and ohif.
4. Check if the cross origin isolation error persists

The current behavior

Cross Isolation Error persisting

The expected behavior

Use ohif as an iframe without Cross Isolation Error.

OS

Windows 10

Node version

18.12.0

Browser

Firefox 121.0 | Chrome

[highoncarbs]

@MatheusRdk Do you think this might be related #4191 ? If so, can you share your comments on those as well ?

[MatheusRdk]

@MatheusRdk Do you think this might be related #4191 ? If so, can you share your comments on those as well ?

Hi, apparently they are different problems. My problem is related to opening the viewer in an iframe, but I'll comment there

[MatheusRdk]

@MatheusRdk Do you think this might be related #4191 ? If so, can you share your comments on those as well ?

I saw that you managed to solve it, great!

[sedghi]

So like @highoncarbs solution, the solution is in your server, not familiar with tomcat but most likely you are setting the data wrong. When you get the response headers does it have those new added headers?

[MatheusRdk]

Yes, the headers are updated when I change them. I still need to test it, but I believe it is being caused by another service, which provides information to the viewer. So there are 3 systems, and I was placing the headers only in the viewer and in the one that uses it as an iframe.

[highoncarbs]

@MatheusRdk also try to keep everything as * ( wildcard ) , in case it still doesn't work with the server

[MatheusRdk]

Yes, it seems that it is a problem in our environment. Thanks for the answers.

[sedghi]

@MatheusRdk What was the issue? Could you please post the solution here for the benefit of others who might encounter a similar problem?

[MatheusRdk]

In fact, we didn't discover the definitive solution, as we left the development of this resource for later. But while I was still testing, the problem was that we have another system that provides information to the viewer, and this third system also needs to have the headers set correctly.

The viewer, the system that opens the viewer in an iframe, and the third system that communicates with the viewer, they need to have the headers Access-Control-Allow-Origin, Cross-Origin-Opener-Policy, Cross-Origin-Resource -Policy and Cross-Origin-Embedder-Policy set correctly.