I open a “new private window”, display the “Console” (“Ctrl_Shift+I”), and then open your link. The strange error appears right away (without reloading the page).
I then tried without “nobrowser” and there is no error (neither in a normal nor in a private window and not after reloading the page).
I am using the Firefox 112.0.2 (64-bit) on a Windows 10 machine.
But there are much more settings, which will not be exported via URL.
You always can try to store jsroot settings as cookies - via settings menu.
But of course, cookies do not work with private browser window.
It looks like “Draw in new tab” uses now separate credentials from the original ones.
I “Load” a file (with “credentials”) and “Draw” some canvas.
I then “Draw in new tab” the same canvas but it immediately asks for “credentials” again. This happens only the first time I execute “Draw in new tab” (i.e., using it again for anything else seems to reuse one of the provided “credentials”).
Can it be that these two “different” credentials are kept in two different variables, which are somehow “local” to different parts of the javascript code? So that “Draw” uses one variable, and “Draw in new tab” uses the other one.
Another possible reason is that, when accessing “https://b.l.a.h/blah/blah.root” in a new tab for the first time, it somehow does not recognize that it already has credentials for “https://b.l.a.h/”, so it tries to get new ones.
Can it be that I should “clean” some cache (if yes, what exactly)?
BTW. I tried to cut the “nobrowser&” string from the link, but it didn’t help (i.e., it asked for credentials again):
If it helps, note that it is sufficient to “Draw in new tab” once. Even when I close this new tab and then execute another “Draw in new tab” command (in the original tab), it automatically reuses one of the provided credentials (I don’t know which one, either the original one or the one I gave during the previous new tab creation).
In general, users have no way to modify the server’s configuration.
I am using the "CORS Everywhere " plugin (for Firefox) when accessing servers (remote and the localhost).
Anyhow, it doesn’t seem to be about CORS; the error explicitly says “unauthorized access”, not “cross-origin” (which appears if I do not switch the plugin on) and it appears only the first time it creates a “new tab” (afterward is reuses credentials).
Well … on second thought … maybe it is indeed related to the CORS. I use “File Open” (i.e., “file:///C:/.../browse.html”) in Firefox (so my browser is my “server”). It then loads your javascript and accesses remote files using “https://b.l.a.h/blah/blah.root”. However, “Draw in new tab” opens something that looks like “https://jsroot.gsi.de/dev/?nobrowser&with_credentials&file=https://b.l.a.h/blah/blah.root&item=canvas;1&opt=”, which may change the server from my own “file:///” to your “https://jsroot.gsi.de” (and that’s why it asks for credentials again).
Well, if I am right about the unfortunate “change of the server”. Maybe javascript gives the possibility to “fork”/“clone” the whole process (into a new tab). Then the new tab would behave exactly as the old one (i.e., it would still use the original “file:///”).
Without such configuration saved credentials where not working. Simple * as allow-origin is rejected in such case.
I will submit soon changes for THttpServer, but if you are using any other server - it should be possible to provide such headers. Without them it does not work.
Some information I found here:
You should check comment about blocking third-parties coockies:
In general, users are not able to modify servers.
We need a solution that “fixes” it on the user side (i.e., in the browser).
It seems that the “CORS Everywhere” plugin (for Firefox) lacks this new “fix”.
You now know what is needed, so maybe you could file a “problem report” there (they may be able to add the required “fix” in the new version).
There are another two points with the “Draw in new tab” …
When a canvas is drawn with multiple pads, I can click “Enlarge pad”. When I open the pad menu again, the “checkmark” on the left side is missing (when I click “Enlarge pad” again, I get the whole canvas back). Note: the “checkmark” does appear when one uses a simple “Draw”.
The new tab is always opened with “nobrowser”. Would it be possible to add a menu item that “restores” it in this tab?
There is one point with “Draw” and “Draw in new tab” … when I click “Enlarge pad” in the canvas itself (i.e., not in a “subpad”), then the whole tab becomes “white” … it seems to me that it doesn’t draw “subpads” in this case (well, the entire “canvas” is a “pad”, too, so I expected that the “pad” and all its “subpads” were drawn).
I am not sure that CORS Everywhere can help to solve the issue. But one can try:
About Enlarge of sub-sub-pads. Logically sub-pads belongs to parent pad.
But graphically they drawn independent from each other on the canvas just in the order they appear in the list of primitives. Enlarge of the sub-pad means enlarge only of that particular graphical element - all child pads will not be affected. Therefore in this example enlarge of second-level subpad c1_1 leads to empty tab.
Did you see half-transparent diamond in the left-upper corner. It toggle browser back.