3

We have a local development enviorment (localhost/) that communicates with our development API on a remote server (api-dev.host.com).

After the latest Chrome upgrade, I am getting the following console error when attempting to communicate from localhost to the remote server:

[Deprecation] SharedArrayBuffer will require cross-origin isolation as of M92, around July 2021. See https://developer.chrome.com/blog/enabling-shared-array-buffer/ for more details.

While the link in the error does display some information, it is unclear to me how to fix this issue. Is there anyway to fix this from the backend? Any answers would be appreciated.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Yinnon Hadad
  • 33
  • 4
  • What is not clear in the link? Quite hard to not just paraphrase what's being said there: send the COOP and COEP headers from your server to make your page [cross-origin isolated](https://developer.chrome.com/blog/enabling-shared-array-buffer/#cross-origin-isolation). – Kaiido Jun 01 '21 at 08:44
  • I've tried this and have not had any luck. Unfortunately it is not clear enough to me what type of header should be set. – Yinnon Hadad Jun 01 '21 at 08:52

1 Answers1

4

According to the link in the error message, this is due to a new security feature implemented in Chrome v92.

Chrome v92 is now requiring the Cross-Origin-Resource-Policy header in order to share resources between two or more origins. I assume you are trying to use a cookie or other resource set by api-dev.host.com and so you would need to implement the header or have your CORS configuration set to Access-Control-Allow-Origin: *.

If you do not have the Access-Control-Allow-Origin set to * you can set the Cross-Origin-Resource-Policy header using the following Nginx configuration:

add_header Cross-Origin-Resource-Policy 'cross-origin' always;

There are multiple different values to the header but cross-origin will allow you to access resources between origins (localhost and api-dev.host.com are different origins).

Notice that you may have had SameSite=Lax or other configuration. In order to access the cookies supposed to be set by the remote server together with the Cross-Origin-Resource-Policy you will need to have the following cookie configuration (you can check your cookie SameSite configuration here):

SameSite=None; Secure;

This should work assuming you are trying to access a cookie set by the remote server of a separate origin and do not have Access-Control-Allow-Origin set to *.

Bubble Hacker
  • 6,425
  • 1
  • 17
  • 24