Adding expiring link in iframe shows cors issues
We are calling the box API like so to get a preview link for a file:
https://api.box.com/2.0/files/{fileIdHere}?fields=expiring_embed_link
In our application we embed the resulting link in an iframe to show the user a file. We have noticed that the iframe will show CORS issues between our QA and prod box accounts if the user has used both our prod and qa applications.
Note that clearing the browsers cache causes the issue to go away, untill the browser gets back into a state where it has opened a link from both our prod and qa accounts.
Note that we are using our QA accounts api to generate links for the qa website and our Prod accounts api to generate links in the prod site.
Note the files display just fine and from the end users perspective nothing seems wrong.
XMLHttpRequest cannot load https://our-qa-box-app.app.box.com/gen204?category=preview&event_type=…nd_values%5Brendering_time%5D=980&keys_and_values%5Btotal_load_time%5D=980. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://our-prod-box-app.app.box.com' is therefore not allowed access.
-
Hi EHGTewilliams,
this is an expected behaviour. We do not support different sessions in different tabs, as the browser does not isolate sessions with tabs.
So the rule of thumb is: One browser one account.
There are a couple of workarounds you can use, if you need to separate the sessions:
- Use different browsers for different accounts, i.e. Chrome, Firefox, Opera, Safair / (Edge, Internet Explorer), ...
- Use a private browsing window for a second account, but within private browsing there is no session separation either.
- Use different user profiles
- Use an extension or browser that isolates sessions between tabs (use your favourite search engine to find one)
So in short to conclude, this is a browser behaviour, and multiple box logins are currently not supported by Box.
Please sign in to leave a comment.
Comments
1 comment