Closed donotcodeit closed 3 years ago
@donotcodeit
The Original PR - Line 124 has this included. Maybe this is only related to what @Soarc was working on at the time.
I think it is advisable we remove it, most developers that will use the external scheme handlers will likely create their custom handlers using this as a guide anyways. So unless, @Soarc advises otherwise, this will be removed.
Thanks.
Hi @mattkol Actually, I've found source of a problem already. There we have some CORS response header manipulation: https://github.com/chromelyapps/Chromely/blob/1f95b7d1475cd56bd9a50b1d8df7140e42810e22/src/Chromely/Browser/Handlers/DefaultExternalRequestSchemeHandler.cs#L161
YouTube player uses
withCredentials
in requests to video chunks API. So havingAccess-Control-Allow-Origin=*
in response headers will make response to fail with:Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
. Details here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentialsI wasn't able to find the original reason for that code. So it leads me to question: do we really need to force wildcard for
Access-Control-Allow-Origin
? The app I working on is very complex. When I've disabled that line - no new bugs appeared and app continued to work as expected. And it fixes YouTube bug.