I provide embed code to my users to put a widget on their own website.
<div id="myDiv"></div>
<script src="https://www.myserver.com/embed.php?id=sometoken"></script>
<script>Widget.initWidget("myDiv",sometoken);</script>
embed.php contains the following javascript code which injects an iframe into myDiv
window.Widget= window.Widget|| {
initWidget: function(id,token) {
iframe = document.createElement('iframe');
iframe.setAttribute('src', 'https://www.myserver.com/someother.php?id='&token);
document.getElementById(id).appendChild(iframe);
}
}
Everything has been working fine until I asked the my VPS host to enable gzip compression. They say they enabled gzip on html, javascript and css. This caused my users to get the following error
"Cross-Origin Read Blocking (CORB) blocked cross-origin response https://www.myserver.com/embed.php?id=sometoken with MIME type text/html.
They don't understand why, so I asked them just to undo the change. They did, but now the CORS problem still exists. I asked them to add "Access-Control-Allow-Origin: *" to the headers, which they did, but the problem still exists. I don't understand what they could have done to have caused the problem and why they can't get things back to the way they were when there were no cross origin problems.
These are the complete headers that are being sent:
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Date: Sat, 19 Feb 2022 04:28:25 GMT
Server: nginx
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
I have the same script running with no problems on a different host and it returns these headers:
Access-Control-Allow-Origin: *
Cache-Control: max-age=0
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Date: Sat, 19 Feb 2022 03:23:54 GMT
Expires: Sat, 19 Feb 2022 03:23:54 GMT
Keep-Alive: timeout=3, max=99
Server: Apache
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-UA-Compatible: IE=edge
Any suggestions as to what to tell the hosting company to change to get it working again?
CodePudding user response:
The server says that https://www.myserver.com/embed.php?id=sometoken
is an HTML document.
Either:
- It is an HTML document and you aren't getting the content you expect or
- It is lying
If it is lying then the most likely reason is that PHP will claim that its output is HTML by default so if you want to write PHP that outputs something else then you need to do so explicitly.
<?php
header("Content-Type: text/javascript");
?>
function this_is_JS() { }
CodePudding user response:
problem is ifreams are limit by browser