-4

Note: Solved - question makes no sense, my understanding of CORS was incorrect and lead me to ask this question.

The answer is simple as pointed out by @CBroe below - CORS needs to be configured on the game server (in the example in this qestion).

I have a Facebook WebGL game that I'm wanting to host using Facebook's simple hosting (https://developers.facebook.com/docs/games/services/contenthosting/).

Is it possible to use Facebook's Simple Hosting for a WebGL game and still contact my web server (mygamedomain.com)? Is there somewhere in the FB app config to specify domains to allow?

Is the only way to get around this to serve the game from mygamedomain.com also?

I'd really like to avoid serving the game from my webserver if possible.

Any ideas or suggestions?

Not doing so will generate an error as expected:

XMLHttpRequest cannot load https://mygamedomin.com/mygame.php. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://apps-1287636812638.apps.fbsbx.com' is therefore not allowed access.

Just to be clear as there seems to be some confusion:

  • Game is hosted by facebook using their "Simple Hosting" service, not on my own server, .
  • I know CORS is the solution - the question is - does Facebook allow/support this? If so where do I configure the domains to allow.
  • If this was on my own server I the answer is trivial - CORS. But it's not.
  • There are hacks to circumvent cross-origin restrictions - I'm not looking for these. There's plenty of resources already covering these.

Edit: changed the title to more accurately reflect my question.

lark
  • 3
  • 4
  • why not just try it? after all, YOUR server has to allow access from another domain. – andyrandy Oct 11 '17 at 07:28
  • @luschn No, Facebook are hosting it, their server needs to allow access. It works just fine if I host it. – lark Oct 11 '17 at 07:52
  • so what is the exact error message then, if you try it? – andyrandy Oct 11 '17 at 08:44
  • @luschn, not sure what you're asking. To be able to make web calls to a domain that's not the host of the app you need to set up CORS permissions (allows in http headers). To do this FB will need to allow me to specify that somehow for it to ever work. I'm hoping someone who knows if it *can* or *can not* be done can clarify either way. My research has not found any word either way. – lark Oct 11 '17 at 08:49
  • @luschn FWIW, I added the error to the OP. – lark Oct 11 '17 at 08:56
  • did you try with jsonp? – andyrandy Oct 11 '17 at 09:14
  • also, take a look at this: https://stackoverflow.com/questions/7564832/how-to-bypass-access-control-allow-origin – andyrandy Oct 11 '17 at 09:15
  • @luschn, such a solution may be possible, but I'm really looking for an answer if it's possible to be done correctly (by FB enabling it somehow via the correct http headers) – lark Oct 11 '17 at 09:17
  • you are accessing YOUR server with ajax, right? so i am not sure why you would want to set http headers on the facebook server...how are you using ajax anyway, can you add your code? – andyrandy Oct 11 '17 at 09:21
  • another good resource for you (i suggest using fetch api or axios): https://stackoverflow.com/questions/42422494/cross-domain-at-axios – andyrandy Oct 11 '17 at 09:21
  • Hey @luschn, I'm not sure you understand my problem. This is a Unity WebGL game that's hosted on Facebook (it's a facebook game). – lark Oct 11 '17 at 09:55
  • i know that, and you are trying to access your own server from that webgl game that is hosted on facebook, on a different domain. – andyrandy Oct 11 '17 at 10:09
  • @luschn, ah, you threw me off with the ajax and similar links... Yep, access my own server. Maybe someone out there knows if it can be done, but with all the down votes on my question they're unlikely to see it... hmmm.. – lark Oct 11 '17 at 10:55
  • well, you do need ajax. did you check out all my links? there is a lot of good information in there, i think. – andyrandy Oct 11 '17 at 10:57
  • CORS _is_ the solution - so go properly read up on that keyword, if you don't know what it means. – CBroe Oct 11 '17 at 22:29
  • Thanks @CBroe, my knowledge of CORS is not the issue - **If** it was hosted on my server then configuring things to work is trivial (and in fact works just fine). I thought my question is clear. It is being hosted **by facebook** on **their servers** hence for this to work **facebook** must allow me to specify the domains to allow somewhere (so their servers can send out the correct allows). I want to know **if facebook** allow this somehow and I'm just missing where to configure it. My research has not found mention either way - so putting the question out there. – lark Oct 11 '17 at 23:01
  • You have just proven, again, that your lack of knowledge of CORS **is** the issue. You are trying to make a request to `https://mygamedomin.com/mygame.php` from a different domain, therefor it is a cross-domain request. For this request to be allowed, the server behind `mygamedomin.com` must signal his consent. That is, as you said, your server. So, configure your server to properly respond to the cross-domain request. That your game is hosted under the Facebook domain has only marginally to do with this. It would be the same for requests originating from _any other_ domain. – CBroe Oct 11 '17 at 23:12
  • @CBroe My server is the destination of the request, the game is served and hosted by Facebook (think a facebook game wholly and solely lives in facebook land). The first interaction with my server is that request, before that point the browser never has any interaction with my servers (only Facebook). There is no opportunity for my server to set any relevant headers. The communication with my server is to support multi-player capability. The game it's self is wholly hosted and served by Facebook. Make sense? – lark Oct 11 '17 at 23:18
  • @CBroe, remember the browser is stopping that request ever leaving the browser, it **never** reaches my server. There is never any interaction with the server prior to that. So I'm pretty sure, unless there's magic somewhere, my understanding is correct. – lark Oct 11 '17 at 23:20
  • No, your understanding of how CORS works is simply wrong. The request does make it to your server, but the browser will "block" it "retro-actively", if it doesn't like the _response_ your server gives. – CBroe Oct 11 '17 at 23:23
  • _"The first interaction with my server is that request, before that point the browser never has any interaction with my servers (only Facebook)."_ - this is not about any request Facebook makes ... it is about a request that _your_ client-side code (which simply was delivered from Facebook's servers, because you happened to upload it there, instead elsewhere), makes to your domain. This happens inside the user's browser. – CBroe Oct 11 '17 at 23:27
  • User (browser) opens https://apps.facebook.com/mygame, facebook serve all content to them (surely that's the point at which CORS header settings come in no????) Then during game play, the game (Unity emscripten compiled WebGL game) my game attempts to make contact with my game server at mygamedomain.com. Are you saying that mygamedomain.com can permit this communication? Any links to anything to back that up? Everything I see indicates it's the origin server who permits the domains, not the other way around.. But if I'm wrong then that's great. But I'm not seeing anything to support that. – lark Oct 11 '17 at 23:46
  • _"Are you saying that mygamedomain.com can permit this communication?"_ - I am saying, all along, that exactly that is what CORS is all about. _"(surely that's the point at which CORS header settings come in no????)"_ - no, of course it isn't, this is: _"Then during game play [...] my game attempts to make contact with my game server at mygamedomain.com"_ – CBroe Oct 11 '17 at 23:53
  • @CBroe, many thanks for persisting with my ignorance! Indeed I had the purpose of CORS confused! Once configured on my server, everything works as expected! Convert a comment to an answer and I'll accept it! Thanks again! – lark Oct 12 '17 at 00:33

1 Answers1

1

CORS is the solution to your problem here.

This question/the answer is not Facebook specific - the issue would be the same with any other domain serving your content, that is different from your own.

Your client-side code is hosted under the Facebook domain, and tries to make a request to your domain - that is the cross-domain part. Your domain is the party that holds the power to either allow or deny this request - by default, it would be denied, but by responding with the appropriate header, your server can signal to the browser, "yes, that's ok, he [your code running under facebook.com] is one of the good guys ..."

So you need to configure this on your server, that you want to make the request to.

CBroe
  • 91,630
  • 14
  • 92
  • 150