CORS in YouTube iframe widget not working

[donotcodeit]

Hi @mattkol Actually, I've found source of a problem already. There we have some CORS response header manipulation: https://github.com/chromelyapps/Chromely/blob/1f95b7d1475cd56bd9a50b1d8df7140e42810e22/src/Chromely/Browser/Handlers/DefaultExternalRequestSchemeHandler.cs#L161

YouTube player uses withCredentials in requests to video chunks API. So having Access-Control-Allow-Origin=* in response headers will make response to fail with: Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’. Details here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

I wasn't able to find the original reason for that code. So it leads me to question: do we really need to force wildcard for Access-Control-Allow-Origin? The app I working on is very complex. When I've disabled that line - no new bugs appeared and app continued to work as expected. And it fixes YouTube bug.

[mattkol]

@donotcodeit

The Original PR - Line 124 has this included. Maybe this is only related to what @Soarc was working on at the time.

I think it is advisable we remove it, most developers that will use the external scheme handlers will likely create their custom handlers using this as a guide anyways. So unless, @Soarc advises otherwise, this will be removed.

Thanks.