embed icon indicating copy to clipboard operation
embed copied to clipboard

Published 20 hours ago verified publisher icon Typeform

Typeform not loading because of cross-origin isolation.

Open jeton-th opened this issue 3 years ago • 6 comments

Description

In a ReactJS application, I'm using a library that requires cross-origin isolation in order to use the SharedArrayBuffer feature. These are the headers I need to add:

Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin

The problem

The embedded Typeform is not loading anymore:

image

This is the error from the network activity tab in developer tools related to the Typeform resource:

To use this resource from a different origin, the server needs to specify a cross-origin resource policy in the response headers: Cross-Origin-Resource-Policy: same-site Choose this option if the resource and the document are served from the same site. Cross-Origin-Resource-Policy: cross-origin Only choose this option if an arbitrary website including this resource does not impose a security risk.

jeton-th avatar Dec 30 '21 11:12 jeton-th

Hello @jeton-th I will talk to our security team to figure out how adding those headers would affect other customers and if we can do it.

mathio avatar Dec 30 '21 11:12 mathio

The change was approved by security, I will update you here when we add the header.

mathio avatar Jan 07 '22 15:01 mathio

Update: This change is not as straightforward as we anticipated. Assets loaded by typeform (such as images) will need to send those headers as well, otherwise they will not load.

mathio avatar Jan 20 '22 12:01 mathio

Update: this will require some infra changes on our side, so please do not expect support for this case in the nearest future. We will be posting updates, if any, in this issue.

maxprilutskiy avatar Feb 18 '22 12:02 maxprilutskiy

Hello @jeton-th there were some recent changes to out CSP headers. Can you please see if this resolved the issue in your application?

mathio avatar Apr 27 '22 09:04 mathio

Hello @jeton-th there were some recent changes to out CSP headers. Can you please see if this resolved the issue in your application?

No, the issue remains.

jeton-th avatar Jul 16 '22 05:07 jeton-th

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] avatar Nov 25 '22 02:11 github-actions[bot]

Hi @jeton-th, we're going to close out this issue for the time being.

As you know, we've spoken internally about solving this and whilst we've tried to make headway, the solution is more complex than we'd initially thought.

We appreciate it's something that would improve your implementation of an embed and we've logged the feedback so that we can continue to assess how to prioritize an improvement.

mathio avatar Nov 28 '22 11:11 mathio