The first is where my application is served and the second is for static assets such as JS/CSS/HTML/images. The motivation for having a separate host for the assets is so I can direct those requests directly onto S3 and bypass the application servers.
I want to protect both endpoints with access so I setup a single access policy on
*.myapp.e.c. This works when visiting each subdomain directly.
A problem arises when www.myapp.e.c tries to load the static assets and makes a request to static.myapp.e.c. Since the domain of the CF_Authorization cookie is scoped to www.myapp.e.c, the static asset request is unauthenticated (static.myapp.e.c has its own access cookie). This means the request is hitting the auth intercepter and failing.
IIUC, this should be possible if the cookie domain was the apex
myapp.e.c which transmits cookies on subdomain requests. It would be generated on first access to www.myapp.e.c and then retransmitted to static.myapp.e.c.
Is this possible to configure in access when using a wildcard?
The only alternative I see is to have everything on the same domain and serve assets as myapp.e.c/_static, performing a proxy request in a Cloudflare worker but I am less inclined to this option since it requires me to maintain worker code.