We’re in the process of putting our code-hosting infrastructure behind Access (fwiw, we use Phabricator). One issue that we’re coming up against is how to solve for the problem of hosting user-content on a separate domain and having that behind Access. The recommendation is to have (potentially malicious) static content hosted on a separate domain to mitigate same origin attacks.
I’m wondering how this is going to work when users make requests to the main domain through Access, but the browser then needs to make subsequent requests through Access for the user-content, hosted on a separate domain? As the Access policies only apply to a single domain, it seems like we’ll need a separate policy for the user-content domain, which then means the user would need to auth more than once, for each separate domain.
Are there any patterns or workarounds for this approach with Access?