There is a relatively new cookie attribute called SameSite that was being set by my server automatically. Disabling this (while retaining the settings listed in the question) allows the iframe access to its own cookies in Chrome. See also Chrome feature status & IETF draft UPDATE Aug 2020 Chrome now blocks cookies without SameSite set, … Read more
If I visit a malicious website, I want to be sure that : It cannot read my personal data from other websites I use. Think attacker.com reading gmail.com It cannot perform actions on my behalf on other websites that I use. Think attacker.com transferring funds from my account on bank.com Same Origin Policy solves the … Read more
Update In newer versions of THREE.js cross origin images are handled by default. THREE.ImageUtils.loadTexture is deprecated. It’s common to use TextureLoader const loader = new THREE.TextureLoader(); const mapOverlay = loader.load(‘http://i.imgur.com/3tU4Vig.jpg’); Original Answer This works THREE.ImageUtils.crossOrigin = ”; var mapOverlay = THREE.ImageUtils.loadTexture(‘http://i.imgur.com/3tU4Vig.jpg’); Here’s a sample var canvas = document.getElementById(“c”); var renderer = new THREE.WebGLRenderer({canvas: canvas}); var … Read more
For 3 domains, in your .htaccess: <IfModule mod_headers.c> SetEnvIf Origin “http(s)?://(www\.)?(domain1.org|domain2.com|domain3.net)$” AccessControlAllowOrigin=$0$1 Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin Header set Access-Control-Allow-Credentials true </IfModule> I’ve tried this and it works for me. Let me know if it doesn’t for you.
I use gorilla/mux package to build Go RESTful API server, and client use JavaScript Request can work, My Go Server runs at localhost:9091, and the Server code: router := mux.NewRouter() //api route is /people, //Methods(“GET”, “OPTIONS”) means it support GET, OPTIONS router.HandleFunc(“/people”, GetPeopleAPI).Methods(“GET”, “OPTIONS”) log.Fatal(http.ListenAndServe(“:9091”, router)) I find giving OPTIONS here is important, otherwise error … Read more
It looks like adding another custom header sorted it out: <system.webServer> <httpProtocol> <customHeaders> <add name=”Access-Control-Allow-Origin” value=”*” /> <add name=”Access-Control-Allow-Headers” value=”Content-Type” /> <add name=”Access-Control-Allow-Methods” value=”GET, POST, PUT, DELETE, OPTIONS” /> </customHeaders> </httpProtocol> </system.webServer>
You can’t. The only cookies you can read with client side JavaScript are those belonging to the host of the HTML document in which the <script> is embedded. By setting withCredentials you can support cookies in cross-origin requests, but they are handled transparently by the browser and JS has no direct access to them (the … Read more
You can use an HttpInterceptor. @Injectable() export class CustomInterceptor implements HttpInterceptor { constructor() { } intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> { request = request.clone({ withCredentials: true }); return next.handle(request); } } Next you have to provide it: @NgModule({ bootstrap: [AppComponent], imports: […], providers: [ { provide: HTTP_INTERCEPTORS, useClass: CustomInterceptor , multi: true } ] }) … Read more