Can't get the Apollo Sandbox working in my env (with COEP)

I’m trying to load the Sandbox onto my page, and have been fighting for days to try to find workarounds to my issue.

The biggest complication in my environment is that I need to set the COEP header on my main document:
Cross-Origin-Embedder-Policy: require-corp

Because of this, I get the following when ApolloSandbox goes to load the sandbox from /sandbox/explorer:

  1. Specify a Cross-Origin Resource Policy to prevent a resource from being blocked
  2. Because your site has the Cross-Origin Embedder Policy (COEP) enabled, each resource must specify a suitable Cross-Origin Resource Policy (CORP). This behavior prevents a document from loading cross-origin resources which don’t explicitly grant permission to be loaded.

To solve this, add the following to the resource’ response header:
* Cross-Origin-Resource-Policy: same-site if the resource and your site are served from the same site.
* Cross-Origin-Resource-Policy: cross-origin if the resource is served from another location than your website. :warning:If you set this header, any website can embed this resource.

Alternatively, the document can use the variant: Cross-Origin-Embedder-Policy: credentialless instead of require-corp. It allows loading the resource, despite the missing CORP header, at the cost of requesting it without credentials like Cookies.


IIUC, I need that request to return the CORP response header fro Sandbox:
Cross-Origin-Resource-Policy: cross-domain

I’ve tried lots of things, including forwarding requests through proxies, hacking the EmbeddedSandbox code to accept a proxyHost parameter, trying to transform the request… Is there any way for me to get this working?

For grins, I did take a look at the response headers you all send:

For direct link to: “/v2/embeddable-sandbox.umd.production.min.js”

HTTP/2 200
x-guploader-uploadid: ABPtcPpxIgn3uea_BaK219iSWZnR83qYlFFUw2kET8u71nMLHRpkfKF6bBRohem4sci27QvOA98
x-goog-generation: 1704904270783136
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 72980
x-goog-meta-goog-reserved-file-mtime: 1704904229
x-goog-hash: crc32c=YFlnng==
x-goog-hash: md5=UTCP0wuIz5BaB1m6p3Y1Ug==
x-goog-storage-class: STANDARD
accept-ranges: bytes
content-length: 72980
access-control-allow-origin: *
access-control-expose-headers: Access-Control-Allow-Origin
server: UploadServer
date: Tue, 30 Jan 2024 03:57:59 GMT
age: 647
last-modified: Wed, 10 Jan 2024 16:31:10 GMT
etag: “51308fd30b88cf905a0759baa7763552”
content-type: application/javascript
cache-control: public,max-age=3600
alt-svc: h3=“:443”; ma=2592000,h3-29=“:443”; ma=2592000

And then, there’s the Embedded Sandbox: “/sandbox/explorer”

HTTP/2 200
date: Tue, 30 Jan 2024 04:13:01 GMT
content-type: text/html; charset=UTF-8
cache-control: public, max-age=14400
cache-status: “Netlify Edge”; hit
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=15552000; includeSubDomains; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-dns-prefetch-control: OFF
x-nf-request-id: 01HNC941PCKZGX68HBB7R0QHS4
x-xss-protection: 1; mode=block
cf-cache-status: MISS
expires: Tue, 30 Jan 2024 08:13:01 GMT
server: cloudflare
cf-ray: 84d6e1444f7d4241-EWR
alt-svc: h3=“:443”; ma=86400

I wanted to confirm there’s not CORP header, and there isn’t.

UPDATE: I was able to set up a proxy server, which gets around a lot of this issue. but I stil need CORS header for the /sandbox/explorer endpoint.

just a heads up that I got further down the line, and think the remaining thing I need is for
the /sandbox/explorer/explorer endpoint
…to return a CORS header:
Access-Control-Allow-Origin: *

Any chance this is/would be possible? Happy to go into detail on everything I’ve done to lead to this point.