This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.


This topic contains 3 replies, has 2 voices.

Last updated by Alejandro 1 year, 2 months ago.

Assigned support staff: Alejandro.

Author Posts
March 1, 2019 at 1:50 pm


Admin details aren't being sent across even with X domain being removed.
Also the multi domains are (Some reason the domain isn't showing above):

We use this framework:
hidden link

Response Headers:
cache-control: no-cache, must-revalidate, max-age=0
content-encoding: gzip
content-security-policy: frame-ancestors 'self'
content-type: text/html; charset=UTF-8
date: Fri, 01 Mar 2019 13:44:25 GMT
expires: Wed, 11 Jan 1984 05:00:00 GMT
fastcgi-cache: BYPASS
link: <hidden link;; rel="hidden link"
link: <hidden link;; rel=shortlink
pragma: no-cache
server: nginx
status: 200
strict-transport-security: max-age=31536000; includeSubDomains;
vary: Accept-Encoding
x-content-type-options: nosniff
x-ua-compatible: IE=Edge
x-xss-protection: 1; mode=block

We are able to send everything else across ok.
I've also Tried on the latest versions, deactivated plugins, used the correct memory limit (128mb)

March 1, 2019 at 3:01 pm
March 4, 2019 at 7:38 am #3267332


Languages: English (English ) Spanish (Español ) Italian (Italiano )

Timezone: Europe/Rome (GMT+02:00)

I just wanted to let you know that i'm still waiting for our developers to get back to me. I'll let you know as soon as they do.


March 5, 2019 at 11:46 am #3273486


Thanks Alejandro, We also have another site where this doesn't work...

hidden link
hidden link

March 6, 2019 at 9:29 am #3277806


Languages: English (English ) Spanish (Español ) Italian (Italiano )

Timezone: Europe/Rome (GMT+02:00)

Hello, it seems this problem could be caused because of a protection that might be up in your server.

If you have enabled a same-origin policy header like this:

Access-Control-Allow-Origin: same-origin

This policy is deprecated in favor of a strict-transport header, so you should configure one that accepts both of your domains.

Our devs noticed something similar in your site:

strict-transport-security: max-age=31536000; includeSubDomains;

In this case you're including subdomains but what about different domains? try removing this header and see if the problem still persists

The key here is to have a strict-transport-policy that accepts both of your domains or at least one that doesn't restrict them.

that could also be applied to the other domain you sent accross in your last reply.