Add headers to enable SharedArrayBuffer in stories #16970
Conversation
☁️ Nx Cloud ReportCI ran the following commands for commit cc835b0. Click to see the status, the terminal output, and the build insights. 📂 See all runs for this branch ✅ Successfully ran 1 targetSent with 💌 from NxCloud. |
|
I see no reason NOT to do this.. |
|
Hi! Any chance that this will be merged? We're integrating some WASM into our project and are blocked by this change. In the meantime, any workaround available or way for us to locally patch this? |
| @@ -32,6 +32,10 @@ export async function storybookDevServer(options: Options) { | |||
| app.use((req, res, next) => { | |||
| res.header('Access-Control-Allow-Origin', '*'); | |||
| res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept'); | |||
| // These headers are required to enable SharedArrayBuffer | |||
| // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer | |||
| res.header('Cross-Origin-Opener-Policy', 'same-origin'); | |||
There was a problem hiding this comment.
@darthtrevino this caused me havoc on friday.
This exact example or any https:image file here got hit with cors.
// .storybook/YourTheme.js
import { create } from '@storybook/theming';
export default create({
base: 'light',
brandTitle: 'My custom storybook',
brandUrl: 'https://example.com',
brandImage: 'https://place-hold.it/350x150',
});
This also got hit with cors
<script src="https://cdn.tailwindcss.com/"></script>Error in chrome and firefox -> "Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep"
I traced it to my yarn lock and then traced it from alpha 45 -> to alpha 50.
When you get a chance can you check create a theme kickstart (https://storybook.js.org/docs/react/configure/theming) or even attempt to load any script "https" in preview.html ->
There was a problem hiding this comment.
Ok so doing more research this change forces all img and src tags to add cross-origin. Research -> Chrome Coop-Coep, The video and this section (Note: Ask the owner part)
For cross origin resources that you have no control over:
Use the crossorigin attribute in the loading HTML tag if the resource is served with CORS. (For example, <img src="***" crossorigin>.)
Ask the owner of the resource to support either CORS or CORP.
TLDR:
Ask the owner of the resource to support either CORS or CORP.
We currently do not have access to img tag for the brandImage so thats one thing but I would assume if you added crossorigin & the 3rd party/external server supported cors it would work.
However, for the tailwind url or any server that does not returns cors, the browser will block it in this 'cross-origin isolated' state.
NOTE: In the "Response" below this 3rd party resource does not return cors, so although the local dev server sets allow-access-control. Chrome will block this request.
Response
age: 91167
cache-control: max-age=0
content-length: 0
date: Fri, 25 Mar 2022 10:08:11 GMT
location: /3.0.23
server: Vercel
strict-transport-security: max-age=63072000
x-vercel-cache: HIT
x-vercel-id: iad1::iad1::qksk4-1648294058985-2d84e8e6b035
Request
:authority: cdn.tailwindcss.com
:method: GET
:path: /
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
pragma: no-cache
referer: http://localhost:6006/
sec-fetch-dest: script
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
sec-gpc: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
There was a problem hiding this comment.
If my understanding is right maybe you can add COOP and COEP as a flag for story book instead, just like ssl is a flag. That way if you need shared array buffer, you will have to deal with the reality that any external resource that does not support CORS will not work.. WHICH is working as expected. However IMO I find this to be more of an edge case and therefore fits better as a flag with some caveat text around it.
Issue:
SharedArrayBufferis not available by default. In 2020, SharedArrayBuffer was reintroduced in some browsers provided that certain headers are present on the web assets. (See the Mozilla Documentation).We have some stories in our graph visualization library that perform graph layouts within a worker context, and these use a SharedArrayBuffer to efficiently communicate data. But right now those stories are broken because the memory is not shared across the worker context.
What I did
This PR adds the required headers to the Storybook Dev Server to enable SharedArrayBuffer. It would be nice to be to configure custom headers in the Storybook configuration file, but that does not seem possible currently.
How to test
I ran the storybook server locally and verified that SharedArrayBuffer was defined.