I have full file access to both sub.domain.com and domain.com. On domain.com I have a web page on which an iframe points to sub.domain.com which is on the same server, so same IP, same protocol (HTTPS). Inside the iframe is an app that requires Cross-Origin-Embedder-Policy "require-corp" to make use of SharedArrayBuffer functionality. The app runs flawlessly when viewed directly from sub.domain.com but not when embedded in an iframe on domain.com
I have read dozens of outdated solutions on here and none worked for me, including adding JS in the iframe: <script>document.domain = "domain.com"</script> or adding Header set Access-Control-Allow-Origin: "*" or even Header set X-Frame-Options "ALLOW-FROM https://*.domain.com" to sub.domain.com .htaccess file.
What exact CORS headers need to be added to sub.domain.com .htaccess?
What, if any, exact CORS headers need to be added to domain.com .htaccess?
After searching for an hour, I could not find an exact duplicate of my question, yet this just popped up in my search results... so my question might be a duplicate of this, but it still lacks a solution: Enable Shared Array Buffer in Cross-Domain
CodePudding user response:
Got it to work! Hope this helps other people coming here to find the solution.
In the iframe's .htaccess (on sub.domain.com) I needed:
Header set Cross-Origin-Embedder-Policy "require-corp"
Header set Cross-Origin-Opener-Policy "same-origin"
Header set Cross-Origin-Resource-Policy "same-site"
In the root document's .htaccess (on domain.com) I needed:
Header set Cross-Origin-Embedder-Policy "require-corp"
Header set Cross-Origin-Opener-Policy "same-origin"
In the root document's iframe element (on domain.com), I needed to add the "allow" attribute like so:
<iframe allow="cross-origin-isolated" src="...">
Now SharedArrayBuffer works in the iframe on sub.domain.com embedded from domain.com :)
Huge THANK YOU to this post: https://stackoverflow.com/a/71466309/7326344