search

googlearchive / vrview

Library for embedding immersive media into traditional websites.
http://developers.google.com/cardboard/vrview
Apache License 2.0
1.71k stars 1.09k forks source link

Why crossorigin is set to "anonymous"? #166

Open cheonhyangzhang opened 7 years ago

cheonhyangzhang commented 7 years ago

In embed.js, adaptive-player.js, sphere-renderer.js I noticed that the crossorigin property is set to be anonymous which means there will be no exchange of user credentials via cookies, client-side SSL certificates or HTTP authentication as described in the Terminology section of the CORS specification.

What's the purpose of making this to be anonymous?

Current I am using vrview js to load the url of a video where the url is protected by the Basic Auth. E.g the page is www.example.com/page then the video is www.example.com/assets/video.mp4. Then when I hit the www.example.com/page in the browser, it asks for basic auth, then I input the user name and password, then the page will load while the video is not loading. When I check the request in the network tab of the browser, I can see the request returns a 401 Unauthorized and it's saying no authorization information is passed in.

So I am guessing when the vrview lib is making request to retrieve the video content, somehow it's not passing the basic auth information, basically the header Authorization : Basic 2dsjdslkfsahgasldjflaksjdflasnv .

lincolnfrog commented 7 years ago

This is the commit that introduced the anonymous crossorigin: https://github.com/googlevr/vrview/commit/0fec8102354fb0b6b936bd7c5d7097125aa42e19

I tried setting it to 'use-credentials' instead and everything seems to work. Someone just needs to test it in iOS: https://github.com/googlevr/vrview/pull/193

cheonhyangzhang commented 7 years ago

@lincolnfrog wow cool I can try to test this in iOS.

lincolnfrog commented 7 years ago

Thanks! Let me know how it goes. Again, here is the PR: https://github.com/googlevr/vrview/pull/193

cheonhyangzhang commented 7 years ago

Hmm I found it's still not working on Mac Chrome.
I saw iframe created by the lib is 

<iframe allowfullscreen="true" scrolling="no" width="100%" height="100%" src="/bula/bula/bula/embedded-content.html?is_stereo=false&is_vr_off=true&is_autopan_off=false&video=/somepath/360testvideo.mp4" style="border: 0px;"></iframe>

I saw the request to /bula/bula/bula/embedded-content.html is still not with Authorization header.