We’re in the process of putting our code-hosting infrastructure behind Access (fwiw, we use Phabricator). One issue that we’re coming up against is how to solve for the problem of hosting user-content on a separate domain and having that behind Access. The recommendation is to have (potentially malicious) static content hosted on a separate domain to mitigate same origin attacks.

I’m wondering how this is going to work when users make requests to the main domain through Access, but the browser then needs to make subsequent requests through Access for the user-content, hosted on a separate domain? As the Access policies only apply to a single domain, it seems like we’ll need a separate policy for the user-content domain, which then means the user would need to auth more than once, for each separate domain.

Are there any patterns or workarounds for this approach with Access?

Here are some additional links (couldn’t add more than two links to the original post due to being a “new user”).

Hi @nick.travers, sorry for the posting issue, I upped your permissions so you’ll not run into that limitation again. And, welcome!

I am also very interested in this! It would be awesome if access policies could apply to multiple domains. I think Google IAP supports this.