Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
itch.io Community » itch.io » Questions & Support

CORS error even though no external servers are being accessed

A topic by haroldo-ok created 51 days ago Views: 181 Replies: 4
Viewing posts 1 to 3
haroldo-ok51 days ago

Hello, I'm having a problem when deploying my game:

The tool that I'm trying to deplou on itch.io contains an `<iframe>` that runs some logic. When running, it returns the following error:

'Uncaught DOMException: Permission denied to access property "generatedAssemblyCode" on cross-origin object'

I can't change the CORS settings because both files are served together on the exact same place within itch.io.

The tool isn't acessing any external files at all; they are all in the same place.

The tool runs okay when executed from an arbitrary plac.

ZIP that I'm trying to deploy: https://github.com/haroldo-ok/CVBasic-emscripten/releases/download/v0.0.3/CVBasi...

Reply
hechelion51 days ago

I'm not an HTML developer, but what you mentioned may be this post is relevant.

https://itch.io/t/2025776/experimental-sharedarraybuffer-support

Reply
haroldo-ok50 days ago (1 edit)

Many thanks for the reply, but unfortunately the tool isn't actually accessing any external domains,  everything is being deployed together with no access to external dependencies.

In fact, when deployed on Github unmodified and with default settings, it shows no issues:
https://haroldo-ok.github.io/CVBasic-emscripten/

Reply
hadhad@Had2Apps38 days ago(+1)

The issue is likely caused by the browser's same-origin policy in combination with iframe sandbox restrictions.
While it may appear to be a cross-origin issue, the actual culprit is often the sandbox attribute.

The HTML iframe tag can have a sandbox attribute for security purposes.
It's possible that itch.io embeds uploaded content in a sandboxed iframe hosted on their own servers.
When the sandbox attribute is present, it restricts JavaScript interactions between parent and child frames, form submissions, popups, and same-origin access.
If allow-same-origin is not specified, the iframe content is treated as coming from a completely different origin.
As a result, once an iframe is sandboxed, it is treated as cross-origin, and this leads to a “Permission Denied” error.

Therefore, I recommend reviewing how you're handling iframes or considering alternatives that don't rely on using iframes.

Reply
haroldo-ok36 days ago(+1)

Okay, thanks for pointing a direction; it seems I will have to refactor that part system, while figuring out how to force Emscripten to reset the compiled application's variables.

https://github.com/haroldo-ok/CVBasic-emscripten/issues/27

Reply
AboutFAQBlogContact us
Copyright © 2025 itch corp · Directory · Terms · Privacy · Cookies