I’m trying to load the Sandbox onto my page, and have been fighting for days to try to find workarounds to my issue.
The biggest complication in my environment is that I need to set the COEP header on my main document:
Cross-Origin-Embedder-Policy: require-corp
Because of this, I get the following when ApolloSandbox goes to load the sandbox from /sandbox/explorer:
Specify a Cross-Origin Resource Policy to prevent a resource from being blocked
Because your site has the Cross-Origin Embedder Policy (COEP) enabled, each resource must specify a suitable Cross-Origin Resource Policy (CORP). This behavior prevents a document from loading cross-origin resources which don’t explicitly grant permission to be loaded.
To solve this, add the following to the resource’ response header:
* Cross-Origin-Resource-Policy: same-site if the resource and your site are served from the same site.
* Cross-Origin-Resource-Policy: cross-origin if the resource is served from another location than your website. If you set this header, any website can embed this resource.
Alternatively, the document can use the variant: Cross-Origin-Embedder-Policy: credentialless instead of require-corp. It allows loading the resource, despite the missing CORP header, at the cost of requesting it without credentials like Cookies.
===========
IIUC, I need that request to return the CORP response header fro Sandbox:
Cross-Origin-Resource-Policy: cross-domain
I’ve tried lots of things, including forwarding requests through proxies, hacking the EmbeddedSandbox code to accept a proxyHost parameter, trying to transform the request… Is there any way for me to get this working?
just a heads up that I got further down the line, and think the remaining thing I need is for
the /sandbox/explorer/explorer endpoint
…to return a CORS header:
Access-Control-Allow-Origin: *
Any chance this is/would be possible? Happy to go into detail on everything I’ve done to lead to this point.