That’s right, you can only show pages that have the OWASP headers. However, I think this is related to the domain whitelist. Make sure that you are adding the domain without the www. to see if that works for you.
@MaxM no luck, I am getting the same error without www in both the domain whitelist (which prevents me from adding a www) and the a href tag.
I am however noticing varying behavior when I try to redirect to other sites. I added “shipit.today” to the domain whitelist and when I redirect to “https://shipit.today/”, I get the (correct?) OWASP error.
When I try to redirect to “https://golinks.io/”, I get the 403 forbidden error. Does this point to an error on my side with the website configuration?
Another thing might worth mentioning is that my home URL is “[home].golinks.io/[file].php” and redirecting to “[home].golinks.io” works just fine - the page loads and everything, even without the OWASP headers.
Typically the 403 error would indicate an issue with the CSP header that is set or another problem with the permissions of golinks.io. You can use the CSP headers in the Basic Sample App app as a reference.
When you redirect and see any console errors or server errors associated with that?
The site shouldn’t work without OWASP headers. Have you confirmed the site is not sending OWASP headers through the network tab?
Ah, correction: the sites I am trying to redirect to have the correct OWASP headers.
And about the issue with golinks.io, I don’t see any errors associated with the CSP header. The only error that appears is the one I posted above.
I also notice that opening the URL with zoomSdk.OpenURL() works, but redirecting in-app does not.
In general, it seems the behavior I’m noticing is that redirecting and ‘opening as homepage’ URLs that are subdomains work, but trying to redirect to the domain alone (as specified in the domain allow list) does not.