Help shape the future of CMS PaaS release notes! Take this quick survey and share your feedback. 

CMS + CMP Publishing integration returns a 403 unauthorized response when previewing

Vote:
 

Hi!

We are currently setting up a CMS and CMP intrgration for my client's need for publishing between the varioys systems. For this we are setting up the CMP platform for our local development (https://localhost:58603/) environment.

We are following the provided documentation for this here: CMS + CMP publishing integration

But we seem to face somekind of 403 unauthorized response between the integration when trying to preview the content in the CMP edit mode. It seems to related to the iframe embedment between the two environments, but we have tried various settings for allowing the localhost environment communicate properly with the https://cmp.optimizely.com/ 

The documentation states these kind of issues like setting the X-Frame-Options and other third party cookies settings in the browser but the 403 response is consistent in the main preview frame in the CMP but not when trying to edit some content, such as the all properties mode.

Here are some settings we have tried on our side:

  public void ConfigureServices(IServiceCollection services)
  {
      IMvcBuilder builder = services.AddRazorPages();

      if (_webHostingEnvironment.IsDevelopment())
      {
          // Cmp service credentials for development
          services.Configure<CmsServiceOptions>(o => {
              o.AddDevelopmentSigningCredentials();
          });
      } 
      else
      {
          services.AddCmsCloudPlatformSupport(_configuration);
      }

  // Allow the quick editor to be embedded into CMP via an iframe
  services.AddAntiforgery(options =>
  {
      options.Cookie.SameSite = SameSiteMode.None;
      options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
      options.SuppressXFrameOptionsHeader = false;
  });

  services.Configure<CookiePolicyOptions>(options =>
  {
      options.MinimumSameSitePolicy = SameSiteMode.None;
  });

 services.AddCors(options =>
 {
     options.AddPolicy("AllowAll", builder =>
     {
         builder.AllowAnyOrigin()
                .AllowAnyMethod()
                .AllowAnyHeader();
     });
 });

 public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IContentEvents contentEvents)
 {
  app.UseStaticFiles();
  app.UseRouting();
  app.UseCors("AllowAll");
  app.UseAuthentication();
  app.UseCmsCmpPublishingPreviewLinks();
  app.UseAuthorization();

  app.Use(async (context, next) => { context.Response.Headers["X-Frame-Options"] = "ALLOW-FROM https://cmp.optimizely.com"; await next(); });

}

 

 

The preview of the content does not return a valid response in the preview of the content:

 

The Edit Page seems to work fine in the Preview mode in the CMP:

 

 

#336358
Edited, Feb 03, 2025 6:39
Vote:
 

In the .UseCmsCmpPublishingPreviewLinks provided by the Optimizely.Cms.Cmp.Publishing.dll there seems to be this usage of the setup for communicating via the CMS and the CMP platform. Why would the preview token fail in such instance and return a 403?

We are using ngrok and have provided the development signatures as stated in the documentation as well

 

#336360
Feb 03, 2025 6:46
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.