0

I have full file access to both sub.domain.com and domain.com. On domain.com I have a web page on which an iframe points to sub.domain.com which is on the same server, so same IP, same protocol (HTTPS). Inside the iframe is an app that requires Cross-Origin-Embedder-Policy "require-corp" to make use of SharedArrayBuffer functionality. The app runs flawlessly when viewed directly from sub.domain.com but not when embedded in an iframe on domain.com

I have read dozens of outdated solutions on here and none worked for me, including adding JS in the iframe: <script>document.domain = "domain.com"</script> or adding Header set Access-Control-Allow-Origin: "*" or even Header set X-Frame-Options "ALLOW-FROM https://*.domain.com" to sub.domain.com .htaccess file.

  1. What exact CORS headers need to be added to sub.domain.com .htaccess?

  2. What, if any, exact CORS headers need to be added to domain.com .htaccess?

After searching for an hour, I could not find an exact duplicate of my question, yet this just popped up in my search results... so my question might be a duplicate of this, but it still lacks a solution: Enable Shared Array Buffer in Cross-Domain

starball
  • 20,030
  • 7
  • 43
  • 238
Marc T.
  • 21
  • 7
  • Domain relaxation (overriding the `document.domain` property) is planned for deprecation by Chromium; I wouldn't rely on it. `ALLOW-FROM` is a deprecated directive for the `X-Frame-Options` header, which likely isn't the header you need anyway. What error message are you actually getting? – jub0bs Dec 26 '22 at 17:19
  • SharedArrayBuffer requires cross-origin isolation. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer#security_requirements – Marc T. Dec 26 '22 at 17:43

1 Answers1

1

Got it to work! Hope this helps other people coming here to find the solution.

In the iframe's .htaccess (on sub.domain.com) I needed:

Header set Cross-Origin-Embedder-Policy "require-corp"
Header set Cross-Origin-Opener-Policy "same-origin"
Header set Cross-Origin-Resource-Policy "same-site"

In the root document's .htaccess (on domain.com) I needed:

Header set Cross-Origin-Embedder-Policy "require-corp"
Header set Cross-Origin-Opener-Policy "same-origin"

In the root document's iframe element (on domain.com), I needed to add the "allow" attribute like so:

<iframe allow="cross-origin-isolated" src="...">

Now SharedArrayBuffer works in the iframe on sub.domain.com embedded from domain.com :)

Huge THANK YOU to this post: https://stackoverflow.com/a/71466309/7326344

Marc T.
  • 21
  • 7