Why crossorigin is set to "anonymous"?

[cheonhyangzhang]

In embed.js, adaptive-player.js, sphere-renderer.js
I noticed that the crossorigin property is set to be anonymous
which means
there will be no exchange of user credentials via cookies, client-side SSL certificates or HTTP authentication as described in the Terminology section of the CORS specification.

What's the purpose of making this to be anonymous?

Current I am using vrview js to load the url of a video where the url is protected by the Basic Auth.
E.g the page is www.example.com/page then the video is www.example.com/assets/video.mp4.
Then when I hit the www.example.com/page in the browser, it asks for basic auth, then I input the user name and password, then the page will load while the video is not loading.
When I check the request in the network tab of the browser, I can see the request returns a 401 Unauthorized and it's saying no authorization information is passed in.

So I am guessing when the vrview lib is making request to retrieve the video content, somehow it's not passing the basic auth information, basically the header Authorization : Basic 2dsjdslkfsahgasldjflaksjdflasnv .

[lincolnfrog]

This is the commit that introduced the anonymous crossorigin: 0fec810

I tried setting it to 'use-credentials' instead and everything seems to work. Someone just needs to test it in iOS: #193

[cheonhyangzhang]

@lincolnfrog wow cool I can try to test this in iOS.

[lincolnfrog]

Thanks! Let me know how it goes. Again, here is the PR: #193

[cheonhyangzhang]

Hmm I found it's still not working on Mac Chrome.
I saw iframe created by the lib is

<iframe allowfullscreen="true" scrolling="no" width="100%" height="100%" src="/bula/bula/bula/embedded-content.html?is_stereo=false&is_vr_off=true&is_autopan_off=false&video=/somepath/360testvideo.mp4" style="border: 0px;"></iframe>

I saw the request to /bula/bula/bula/embedded-content.html is still not with Authorization header.