Subdomain authorization

[dkornilove]

Hello,
I have site https://example.com
I have a dev copy of it on the same server with 'dev' subdomain http://dev.example.com
It can be accessed from the internet but it has not ssl
Remark is configured for the backend url https://example.com/remark and working perfectly within the main site
About six month ago it does work the same way on the dev copy without any additional configurations
but unfortunately authorization does not work on the dev copy now
When i hit sign in in the remark form with any third party oauth app being on the http://dev.example.com/blogpost1 it jumps to the new tab then closed and I can see https://example.com/remark/api/v1/user?site=site GET 401 error with "Unauthorized" response. When I login with email the process completed fine and looks like Im logged as an email user but when i try to submit a message it still responsing as for unathorized user.
What has been changed and how should I handle the same endpoint but for dev subdomain without ssl?

[paskal]

Could you please send me the link to the prod and dev site here or privately?

[umputun]

setting PROXY_CORS=true means "disable internal CORS and delegate it to proxy". So, you are asking here to let you handle it. In other words, it turns off the internal CORS support to allow handling by the external proxy server.

[dkornilove]

@umputun what If I am unable to handle cors stuff manually?
Maybe I should create an issue from now?

[umputun]

I'm not sure what you mean. The goal of this parameter is to allow you to handle the CORS externally, see the original issue for more details

If you are unable to handle cors on proxy level, just don't set this parameter.

[paskal]

It was my suggestion which turned out to be wrong, what I need to see is if we can set more relaxed cors settings. I’ll check it once more when I’ll be near the computer.

[paskal]

Definitely, something is off with Chrome security defaults compared with Firefox and Safari. It's either something to do with HTTP vs HTTPS or with another subdomain. @dkornilove, would you be so kind as to test the HTTPS subdomain to verify which of two it is?