Using domain causes CORS issues

I have built a brand-new V3 admin using a custom (sub)-domain. However, I get a CORS error when using certain functionality, because JS for them are loaded using

asset()

asset()

which looks at the .env APP_URL, which is the main applications URL, not my subdomain. How can I fix this?

Shaung Bhone•8/7/23, 11:42 AM

https://laravel.com/docs/10.x/vite#custom-base-urls

trovsterOP•8/7/23, 12:23 PM

That will change it for my main site as well, which is not what I want.

Dhruva•8/8/23, 10:42 AM

I am also facing same issue for sub domains.

Please help.

awcodes•8/8/23, 11:40 AM

This is related to laravel. Please look into how to set up CORS for subdomains.

trovsterOP•8/9/23, 12:52 PM

Yes and no. IMO, assets for the filament panel should respect the domain in which the panel is set up. Strangely, most CSS/JS is loaded from the APP_URL domain (not the filament domain) but only a few threw up CORS issues.

toeknee•8/9/23, 12:53 PM

Again this is really a Laravel issue, we don't want to be manipulating the laravel cors domains by default. IF you are using multiple domains, you need to set the domains which can be used to render etc with the laravel cors settings.

trovsterOP•8/9/23, 1:44 PM

But the cors config has … I guess because this is a static asset and not going through PHP.

trovsterOP•8/9/23, 1:47 PM

Assets work fine, but not when alpine tries to include them.

toeknee•8/9/23, 1:49 PM

What is requesting it?

toeknee•8/9/23, 1:49 PM

Ahh I see

trovsterOP•8/9/23, 1:49 PM

Adding to a SelectFilter

toeknee•8/9/23, 1:49 PM

You need to add serverside CORS

toeknee•8/9/23, 1:50 PM

Because you are requesting the file directly it's not going through laravel cors

toeknee•8/9/23, 1:50 PM

so it is missing *

trovsterOP•8/9/23, 1:50 PM

So, not "server-side" but web-server level.

Ttrovster So, not "server-side" but *web-server* level.

toeknee•8/9/23, 1:50 PM

Which is indeed handled in the server-side

Dhruva•8/9/23, 4:08 PM

@trovster are you able to find solution for this issue?

trovsterOP•8/9/23, 8:43 PM

@dhruva81 not at the moment, but I am investigating it. You can solve it with htaccess if you use Apache or else would be handled with nginx or whatever webserver you're using.

trovsterOP•8/9/23, 8:56 PM

This seems to work…

awcodes•8/9/23, 8:58 PM

you really should handle this at the server level and not the application level as it's a CSP issue.

trovsterOP•8/9/23, 9:01 PM

With nginx or Apache?

awcodes•8/9/23, 9:01 PM

either

awcodes•8/9/23, 9:02 PM

it's the same concept regardles

trovsterOP•8/9/23, 9:02 PM

Yeah, sorry, I meant with the webserver, whichever you have running.

awcodes•8/9/23, 9:03 PM

some good information at https://content-security-policy.com/

Content-Security-Policy (CSP) Header Quick Reference

CSP or Content Security Policy Header Reference Guide and Examples

trovsterOP•8/9/23, 9:04 PM

Ah, yes, that fun. I remember adding these to AWS following a security audit.

Travis•9/5/23, 12:42 PM

I've also suddenly experienced similar problems....in a Laravel vapor environment.

For all filament JS assets, they are "blocked:csp" all of the sudden.

Thursday's deployment was v2...and worked fine. Today's deployment was after an upgrade to v3, and it fails to load the resources.

The assets that fail to load are JS assets that use our cloudfront URL instead of our actual subdomain/domain URL. Livewire, for example, loads from our subdomain/domain and not the cloudfront URL.

I suspect this is the problem...but I'm not exactly sure how to resolve it. It seems something has changed between v2 and v3 that makes loading these assets (by the way it determines the asset URLs) behave differently.

awcodes•9/5/23, 12:48 PM

in v3 the assets for filament get published to the public directory, they are no longer served through php

Aawcodes in v3 the assets for filament get published to the public directory, they are no...

Travis•9/5/23, 1:00 PM

Ah...so this is the change that I've missed.

I think I need to manually set for each Vapor environment....to our own subdomain/domain URL and not the cloudfront URL that it's currently set to...by Vapor.

TTravis Ah...so this is the change that I've missed. I think I need to manually set `AS...

awcodes•9/5/23, 1:01 PM

sounds right, but I haven't worked with Vapor so I don't know. LOL.

Travis•9/5/23, 1:50 PM

LOL! It's great in many ways, but it has its own quirks, too....always learning something.

Aawcodes sounds right, but I haven't worked with Vapor so I don't know. LOL.

Travis•9/5/23, 1:51 PM

Thx, btw. I'll let you know if this works out. Today seems to be filled with a lot of fires, so I can't get back to it just yet.

TTravis Thx, btw. I'll let you know if this works out. Today seems to be filled with a...

awcodes•9/5/23, 1:51 PM

no worries, hope you get it sorted. and get the fires out.

Aawcodes no worries, hope you get it sorted. and get the fires out.

Travis•9/6/23, 2:36 PM

No luck...

Looks like I need to set my content security policy, which I'm trying to do via spatie's laravel-csp package....but, it doesn't seem to be doing the trick. The header's set, but it appears to be set via vapor/aws and it's not respecting/allowing the laravel-csp directives to be set.

So...the search goes on....

awcodes•9/6/23, 2:39 PM

gross.

trovsterOP•9/7/23, 10:22 AM

You can't use a PHP/Laravel solution for the CORS issue with these files. The header needs to be set on the webserver. I resolved this with .htaccess on the server (and nginx via Valet locally). But then I got issues with "double headers" being sent as Laravel has CORS configured to. I had to use the following;

trovsterOP•9/7/23, 10:22 AM

It would be so much nicer if the assets were loaded from the

->domain()

->domain()

value.

TTravis No luck... Looks like I need to set my content security policy, which I'm tryin...

toeknee•9/7/23, 10:25 AM

Yep it's a PITA you need to use it on the mod security or if using Nginx, there. And apply the policies that way/

Ttrovster You can't use a PHP/Laravel solution for the CORS issue with these files. The he...

Travis•9/7/23, 1:22 PM

Thx for your input. I'm not so much worried about CORS at the moment as I am CSP. Are you suggesting that there's nothing I can do for either...?

Travis•9/7/23, 1:23 PM

I'm doing this in a Laravel Vapor environment, which presents its own unique set of challenges, fwiw....

Travis•9/8/23, 7:29 AM

OK....fwiw, I found a solution. It works fine with Spatie's laravel-csp. The problem was that we have some middleware that was overwriting the CSP header. Once that was addressed, it worked perfectly.

diegslapasteque•9/13/23, 6:51 AM

Hello everyone

I faced the same issue, and I found a solution to serve assets using the new domain if you're interested in :

1 - Create a new FILAMENT_ASSET_URL=https://admin.example.com in your

.env

.env

.

2 - Add a new configuration value in config/filament.php :

3 - Add this code at the beginning of to replace the asset url at runtime :

It's not mandatory to create a dedicated environment variable like I did, but I prefer to do it to keep the same behavior than laravel that also have a dedicated variable. Moreover, if the assets are stored on a CDN or something like that, it will be easy to change the FILAMENT_ASSET_URL too.

Maybe I should create a PR to propose to add a new ->assetUrl() method in the Filament\Panel, or to directly change the when a

->domain()

->domain()

is called...

Hope it will helps

Anik•1/13/24, 10:32 PM

anyone done this for images as well?

Anik•1/13/24, 10:45 PM

❓┊helpPanel domain - CORS Issue - Spatie Media Library File Upload

Anik•1/14/24, 2:19 PM

https://github.com/filamentphp/filament/discussions/5485#discussioncomment-5427539

GitHub

CORS error using FileUpload with Laravel Sail and Share · filamentp...

I have a FileUpload form component as follows: Forms\Components\FileUpload::make('images') ->image() ->columnSpan('full') ->maxSize(1024) ->multiple() ->maxFiles(5) -...