1

I have full file access to both sub.domain.com and domain.com. On domain.com I have a web page on which an iframe points to sub.domain.com which is on the same server, so same IP, same protocol (HTTPS). Inside the iframe is an app that requires Cross-Origin-Embedder-Policy "require-corp" to make use of SharedArrayBuffer functionality. The app runs flawlessly when viewed directly from sub.domain.com but not when embedded in an iframe on domain.com

I have read dozens of outdated solutions on here and none worked for me, including adding JS in the iframe: <script>document.domain = "domain.com"</script> or adding Header set Access-Control-Allow-Origin: "*" or even Header set X-Frame-Options "ALLOW-FROM https://*.domain.com" to sub.domain.com .htaccess file.

  1. What exact CORS headers need to be added to sub.domain.com .htaccess?

  2. What, if any, exact CORS headers need to be added to domain.com .htaccess?

After searching for an hour, I could not find an exact duplicate of my question, yet this just popped up in my search results... so my question might be a duplicate of this, but it still lacks a solution: Enable Shared Array Buffer in Cross-Domain

Improve this question
2
  • Domain relaxation (overriding the document.domain property) is planned for deprecation by Chromium; I wouldn't rely on it. ALLOW-FROM is a deprecated directive for the X-Frame-Options header, which likely isn't the header you need anyway. What error message are you actually getting? Commented Dec 26, 2022 at 17:19
  • SharedArrayBuffer requires cross-origin isolation. developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/… Commented Dec 26, 2022 at 17:43

1 Answer 1

Reset to default
3

Got it to work! Hope this helps other people coming here to find the solution.

In the iframe's .htaccess (on sub.domain.com) I needed:

Header set Cross-Origin-Embedder-Policy "require-corp"
Header set Cross-Origin-Opener-Policy "same-origin"
Header set Cross-Origin-Resource-Policy "same-site"

In the root document's .htaccess (on domain.com) I needed:

Header set Cross-Origin-Embedder-Policy "require-corp"
Header set Cross-Origin-Opener-Policy "same-origin"

In the root document's iframe element (on domain.com), I needed to add the "allow" attribute like so:

<iframe allow="cross-origin-isolated" src="...">

Now SharedArrayBuffer works in the iframe on sub.domain.com embedded from domain.com :)

Huge THANK YOU to this post: https://stackoverflow.com/a/71466309/7326344

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.