Hi Lucas Soares,

My name is Cristian and I am helping in the forum.

I have seen the error you mention before and it happens when you query data from an external server.

Let's say that I have my bakeend made in nodejs with express and from another server I have the front end queried data.

The server where it is in the backend for security should register the IP of the servers who are allowed to consult them.

Now how we enable it, that depends on what language the backend is in.

Example nodeJS.

I hope this information helps you.

Greetings.

Below suggestion for Security Setting :

- Use for redirection with object's url should be allow 

1. Frame-ancestors - Specifies the domains which are allowed to embed the application in a frame. The following source expressions are allowed: 'self' and *.
2. Object-src - Specifies the domains from which the application is allowed to load objects (for <object>, <embed> and <applet> elements). The following source expressions are allowed: 'self' and *.
3. Child-src - Specifies the domains which the application is allowed to embed framed. The following source expressions are allowed: 'self' and *.

Values -

1. self
2. login.microsoftonline.com

- Use for images 

1. Img-src - Specifies the domains from which the application is allowed to load images. The following source expressions are allowed: 'self', data: and *.

- Use for Style 

1. Style-src - Specifies the domains from which the application is allowed to load styles. The following source expressions are allowed: 'self', data: and *.

Refer below url

https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Secure_the_Applications/Apply_Content_Security_Policy

Regards,

Shahaji 

CORS is a security mechanism implemented by web browsers to restrict cross-origin requests. It requires the server to include specific headers in the response to indicate which origins are allowed to access the resource. The 'Access-Control-Allow-Origin' header is one of those headers.

To solve this issue, you can follow these steps:

• Check server-side configuration: Make sure that the server hosting the requested resource is configured to include the 'Access-Control-Allow-Origin' header in its responses. This header should contain either the specific origin that is allowed to access the resource or a wildcard "*" to allow access from any origin.
• Specify allowed origins: If you have control over the server hosting the resource, you can configure it to include the 'Access-Control-Allow-Origin' header and specify the specific origins that are allowed to access the resource. For example, if your client-side code is hosted on "example.com," the server should include the following header: Access-Control-Allow-Origin: example.com. This allows only requests originating from "example.com" to access the resource.
• Use wildcard '' cautiously: If you want to allow access from any origin, you can include the wildcard "" in the 'Access-Control-Allow-Origin' header. However, be cautious when using this approach, as it allows any website to access your resource, potentially exposing sensitive information.
• Additional headers: Depending on your application's needs, you may need to include other CORS-related headers, such as 'Access-Control-Allow-Methods' and 'Access-Control-Allow-Headers'. These headers define the HTTP methods and headers allowed in cross-origin requests.
• Proxy servers: If your application is making cross-origin requests through a proxy server, ensure that the proxy server is correctly configured to pass the necessary CORS headers from the original server response to the client.