Cross Site Requests#

The Curity Identity Server contains a feature that blocks requests from cross-site origins to plugin request handlers. Each plugin can programmatically define the set of handlers can be accessed on cross-site request and the ones that are only usable on same-site requests. This feature is described in cross-site plugin handlers .

However, it is also possible to override this policy using the following system properties:

se.curity.crosssite.block.enabled - When set to false the blocking behavior is disabled and all cross-site requests are allowed, independently of the individual plugin policy. The default value is true.
se.curity.crosssite.block.authenticators.deny - This property receives a comma separated list of authenticator type names (e.g. html-form), for which cross-site access should be blocked. It can be used to make sure a given authenticator is not accessed on cross-site requests, independently of its implementation. The default value is an empty list.
se.curity.crosssite.block.actions.deny - This property receives a comma separated list of authentication action type names (e.g. attribute-prompt), for which cross-site access should be blocked. It can be used to make sure a given authentication action is not accessed on cross-site requests, independently of its implementation. The default value is an empty list.

Administration

System and Operation

Facilities

Profiles

Developer Guide

Configuration Reference

Cross Site Requests#