improve CORS handling by mini-browser #3589
Comments
Note, although CORS errors are logged to the Chrome console, they're not visible from the JS code due to security reasons. At least that was my experience; hence there is no special error handling. I hope someone else with more experience finds a solution. |
|
Random note: projects using
I don't know why a development web server would be so annoyingly strict about these things, but webpack is very popular these days, so I'm seeing these issues a lot. |
|
After implementing webviews, I've learned that many websites are secured from embedding them in other websites with We could consider to use the headless chrome instead of embedding others web-sites via iframe. It will run as a separate process (so no issues with security) and serve content to us. It's a way how the browser preview extension for VS Code works. Alternatively we can evaluate whether we can replace our mini-browser with this VS Code extension completely. I'm not sure whether it does everything what we need and we want to give up a control over it. Maybe there is a hybrid solution. Related to #6562, i.e. it would be good to use webviews while reimplementing the mini-browser to secure it. |
There are 2 cases to consider:
httpfrom Theia deployed underhttps, in this case we should notify a user about CORS issues. Right now they are only logged in the dev tool console and the mini browser is spining forever.httpsscheme, in this case some pages cannot be opened in iframe (see images below). The mini-browser should detect it and propose a user to open such page in a new browser tab.The text was updated successfully, but these errors were encountered: