CORS does not work in my hubs

[nonew]

@robinkwilson

I follow #3926 but still cannot open the external website in my custom client.
Here are what I did:

1. use iframe to open baidu.com, like this:

<iframe className="home-iframe" frameBorder="0" src="https://www.baidu.com" />

2. delete this parameter: /ita/{stack name}/reticulum/security/cors_origins in AWS Parameter Store

3. Add additional domains in hub's main domain > Admin Panel > Server Settings > Advanced tab > "Allowed CORS Origin" field
   https://{main domain}.com, https://{link domain}.link, {main domain}.com, {link domain}.link, https://youtube.com, https://google.com, https://vimeo.com, https://baidu.com

Here are Chrome Dev errors while I opening hubs:

phoenix-utils.js:51 GET https://xxx.com/api/v1/meta 502
AuthContext.js:122 SyntaxError: Unexpected token < in JSON at position 0
app-icon.png:1 GET https://xxx.com/app-icon.png 404
(index):1 Error while trying to use the following icon from the Manifest: https://xxx.com/app-icon.png (Download error or resource isn't a valid image)
xxxx-…xxx.com/:1 Refused to frame 'https://www.baidu.com/' because it violates the following Content Security Policy directive: "frame-src 'self' https://www.youtube.com https://docs.google.com https://player.vimeo.com".

Thanks!

[rawnsley]

CORS is not the problem here. As the log message suggested you need to change your Content Security Policy (CSP) list. I appreciate that it is confusing.

In future I would suggest searching here and Discord for key terms first. I answered this question already earlier in the week.

Also, don't delete parameters directly from AWS unless you are sure you know what you are doing. Everything you need should be available through the Hubs Cloud Admin pages.

[robinkwilson]

Awesome answer. I personally told them to delete the cors_origins parameter in the parameter store in case it was written incorrectly, since they couldn't access the Admin Panel at all.

@rawnsley Do you mind typing up your solution here? People can't access the Discord link unless they're already part of community (which is why we moved out of discord to Github Discussions!

[rawnsley]

Done. Thanks @robinkwilson

[rawnsley]

CORS and CSP are different things. CORS is what the remote server allows you to download and CSP is what sources the local page trusts to do sensitive things like run scripts. You might need to add your remote server to the CSP list of your Hubs Cloud.

These are my settings so you can see the format.