Safari 'origin is not allowed' blocking AppEngine Identity-aware proxy https://accounts.google.com/o/oauth2/v2/auth
Getting a redirect issue on Safari browser only when trying to load an AppEngine site with Identity-aware proxy enabled. It shows requests being redirected to https://accounts.google.com/o/oauth2/v2/auth but then failing.
Origin is not allowed by Access-Control-Allow-Origin
If I load the url manually in a new tab in Safari I get: AppEngine error code 9.
I'm thinking it's probably to do with Safari's stricter cookie rules, somehow the IAP session cookie is being ignored because it's from another domain?
Safari seems to have stricter CORS rules, which may require additional rules. Especially if using AppEngine IAP.
If using <img>, <video>, <link> and <script> tags, and loading content from other domains using CORS. You need the crossorigin="use-credentials" attribute to allow the cookie sharing:
<script src="https://example.com/script.js" crossorigin="use-credentials"></script>
https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_settings_attributes
Note: this is less secure.
Angular has a build command which will add the attributes automatically for you:
ng build --prod --crossOrigin=use-credentials