Infinite reload loop using component exporter

We are attempting to use Vaadin 14.0.0.rc7 to create an application that can be used as a component from an Angular (or other non-Vaadin) web page.

When the request comes from a different host/port than the Vaadin app is using (CORS), the page loads partially but then attempts to reload before it is finished loading. The javascript log output on the browser appears to fail with…

Received xhr message: for(;;);[{“meta”:{“sessionExpired”:true}}]

Response didn’t contain a server id. Please verify that the server is up-to-date and that the response data has not been modified in transmission.

On a side note, the CORS headers are added via an extension of the Vaadin servlet to allow the request host/port in question.

In the failing test, the Vaadin app being embedded and the requesting HTML page are both served from localhost - just from different ports.

We are currently not officially supporting cross-site embedding of exported web components because of various complications. The most serious problem is that the Intelligent Tracking Prevention feature in recent versions of Safari has a tendency to block essential cookies. There are also known problems with the HTML import polyfills if you’re not using npm mode. Furthermore, we haven’t put any effort into writing documentation or verified that general error handling and error messages are tuned to typical cases that may happen in a cross-site situation.

For this reason, I would recommend that you use an HTTP proxy on the same host/port so that there wouldn’t be any cross-site activity from the browser’s point of view.

The error message you’re describing sounds like the CORS request doesn’t include any session cookie. Tracing down those kinds of issues is typically quite tricky. The easiest way is usually to look at the HTTP headers in requests and responses and compare the structure between working non-cross-site case and a non-working cross-site case.

Thanks, that gives us something to go on at least. Of course, the lack of CORS does put a bit of a crimp on the usefulness of embedding as a component.

We’ll try playing some games with a proxy and such and see how it goes.