1

I am facing a problem, SAB(SharedArrayBuffer) does not work in cross-domain environment. Target IFrame's source is on another domain, I added aliases to hosts file(Windows OS). I am sending SAB through postMessage to IFrame, but it simply does not either send or receive. If IFrame's source is something like this: "./frames/frame.html", SAB starts magically work. What can be done to make SAB work in cross-domain?

I am using Google Chrome, in Console window it does not show errors. When using Firefox, it provides this error: Cannot post message containing a shared memory object to a cross-origin window.

Website is hosted using webpack with headers:

Cross-Origin-Opener-Policy : same-origin
Cross-Origin-Embedder-Policy : require-corp
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
moraprex
  • 103
  • 9
  • Are you using TLS? – BrownieInMotion Aug 08 '22 at 09:18
  • @BrownieInMotion Yes, I also created certificate for all domains and added that certificate to trusted in Windows OS. – moraprex Aug 08 '22 at 09:53
  • Have you tried also sending a `Cross-Origin-Resource-Policy: cross-origin` response header? – sideshowbarker Aug 08 '22 at 11:00
  • @sideshowbarker Yes, backend responses with such header – moraprex Aug 08 '22 at 12:41
  • Does the iframe have `allow="cross-origin-isolated"` set? – sideshowbarker Aug 08 '22 at 22:47
  • If you attach a `messageerror` handler on the iframe's window you should see it's triggered in Chrome too. The funky thing though is that this actually works in Safari. https://alpine-atom-tiara.glitch.me/ @sideshowbarker You believe this ought to work per specs? – Kaiido Aug 09 '22 at 06:18
  • @sideshowbarker I added it, it did not help. – moraprex Aug 09 '22 at 08:32
  • @Kaiido Hello! Any ideas on how can SAB be enabled? – moraprex Aug 09 '22 at 08:32
  • 1
    @Kaiido I haven’t looked yet at the relevant spec bits to know what the expected behavior should be per-spec – sideshowbarker Aug 09 '22 at 09:43
  • @moraprex No I don't know. I guess you'd have to fallback to "normal" ArrayBuffers instead. – Kaiido Aug 09 '22 at 09:50
  • Per specs postMessage should fire a *messageerror* with a SharedArrayBuffer from two different agent clusters. The bit I can't figure out though is if both agent clusters should be different here. The specs there are super hard to follow on sight, I'd probably need to write down the whole thing but I lack the time and energy to do so. Though that kind of makes sense that two cross-origin isolated contexts are, well, isolated. I'm afraid this could actually point to a quite severe bug in Safari? – Kaiido Aug 10 '22 at 01:49

1 Answers1

1

If your cross-domain environment consists of subdomains to the same parent domain (e.g. one.domain.com and two.domain.com) or even sub.domain.com and domain.com then this shows precisely which headers you need to set up on each domain: https://stackoverflow.com/a/74923275/7326344

In the iframe's .htaccess (on sub.domain.com) I needed:

Header set Cross-Origin-Embedder-Policy "require-corp"
Header set Cross-Origin-Opener-Policy "same-origin"
Header set Cross-Origin-Resource-Policy "same-site"

In the root document's .htaccess (on domain.com) I needed:

Header set Cross-Origin-Embedder-Policy "require-corp"
Header set Cross-Origin-Opener-Policy "same-origin"
Marc T.
  • 21
  • 7
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/33499838) – ahuemmer Dec 27 '22 at 20:12