CleverTap / clevertap-web-sdk

CleverTap Web SDK
https://clevertap.com/
MIT License
14 stars 18 forks source link

Missing Headers for Cross-Origin Isolation Support #241

Open arfa123 opened 2 months ago

arfa123 commented 2 months ago

Description: I am integrating the CleverTap Web SDK into my project, which operates with cross-origin isolation enabled. Unfortunately, the SDK is not functioning correctly due to missing headers in the API response. Specifically, the API does not return either of the following headers:

Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin

These headers are necessary to ensure that the SDK works on websites with cross-origin isolation enabled, which is required to comply with modern web security standards like COEP (Cross-Origin Embedder Policy).

Reference: For more information on the importance of these headers and how they relate to cross-origin isolation, please refer to the official guidance from Google Chrome’s documentation: https://web.dev/articles/coop-coep#2_ensure_resources_have_corp_or_cors_enabled These resources explain why cross-origin isolated environments require specific headers to be present to maintain security and data integrity.

Steps to Reproduce: Enable cross-origin isolation on your website (e.g., by setting Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy headers). Integrate the CleverTap Web SDK. Observe the errors in the console due to the missing headers in the API response.

Expected Behavior: The CleverTap Web SDK should support cross-origin isolated environments by ensuring that the API response includes one of the necessary headers: Access-Control-Allow-Origin: * or Cross-Origin-Resource-Policy: cross-site.

Actual Behavior: The SDK fails to operate correctly, and errors are thrown because the required headers are not present in the API response.

Suggested Solution: Please modify the API response to include one of the following headers:

Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin

This change would allow the SDK to function correctly in cross-origin isolated environments.

Environment: CleverTap Web SDK version: 1.9.0 Browser: Google Chrome, Microsoft Edge Website with Cross-Origin Isolation enabled Thank you for your attention to this matter. I look forward to your response.

image image