stefandesu
commented
2 years ago I found out if both client (i.e. the web server that hosts Cocoda) and server (Login Server) have the header set to same-origin-allow-popups, it works as well. 👍
Closed stefandesu closed 2 years ago
stefandesu
commented
2 years ago I found out if both client (i.e. the web server that hosts Cocoda) and server (Login Server) have the header set to same-origin-allow-popups, it works as well. 👍
stefandesu
commented
2 years ago To make it work during local development (where Cocoda and Login Server use different origins), I've made the header value dependent on config.ssl.
I have found out that, probably due to an update to the Helmet library that we're using for security headers, we can't close the Login Server window from Cocoda even though we opened it through Cocoda (https://github.com/gbv/cocoda/issues/662).
Changing the
Cross-Origin-Opener-Policyheader tounsafe-nonefixes the issue, but right now I'm not sure if there are any repercussions from this change. To improve the login flow in Cocoda, it would be nice to get the window closing back.