Cookie “XSRF-TOKEN” has been rejected for invalid domain. sub.domain.com

The exceptions are routes within your own application that are excluded, not the URLs of servers that are requesting it. You will never put localhost, http, or any domain in these exceptions in normal circumstances. If you wish for a request by an external server to be accepted, I would disable CSRF protection for the routes it is accessing (because you want a cross-site request, that's what CSRF prevents).

https://stackoverflow.com/a/34024604/460885

So published sites loaded under a secondary domain that load data from our main domain and have fonts stored in a directory that is served on that secondary domain need to be excluded using a route CSRF exclusion. Will need to look into our controller and web.php routes for this I guess.

Found

public function response( $url, $page = null )
  {
    $page = $this->setPageQuery( $page );

    $cookie = Cookie::get( 'mcathide' );
    $context = stream_context_create([
      'http'=>[
        'method'=>"GET",
        'header'=>"Accept-language: en\r\n".
                  "Cookie: mcathide={$cookie}\r\n"
      ]
    ]);

    $data = file_get_contents( $this->apiUrl . $url . $page, false, $context );
    $json = json_decode( $data );

    return $json;
  }

at https://laracasts.com/discuss/channels/requests/api-level-laravel-53-cookies-not-working-when-called-via-static-php-website?page=0 for adding cookie data to my get_contents $context. Going to try adding the proper CSRF cookie to my get request this way inside

$options = [
                'http'=> [
                  'method'=>"GET",
                  'header'=>"Accept-language: en\r\n" .
                            "Cookie: foo=bar\r\n" .  
                            "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\r\n"
                ]
            ];

As I am dealing with XSRF and site_production_session cookies being rejected I may need to share sessions and XSRF cookies cross my two domains using the same application as https://laracasts.com/discuss/channels/laravel/share-session-from-multiple-domains-but-on-same-server?page=1 was mentioned and storing sessions in the database. But as for XSRF I have no clue yet..

Added lax

/*
    |--------------------------------------------------------------------------
    | Same-Site Cookies
    |--------------------------------------------------------------------------
    |
    | This option determines how your cookies behave when cross-site requests
    | take place, and can be used to mitigate CSRF attacks. By default, we
    | do not enable this as other CSRF protection services are in place.
    |
    | Supported: "lax", "strict"
    |
    */

    'same_site' => 'lax',

and same site issue Some cookies are misusing the recommended “SameSite“ attribute 10 is gone. However, the XSRF-TOKEN en app-domain_production_session cookies are still being rejected as expected as this takes place on the secondary domain loading data from the app domain:

Cookie “XSRF-TOKEN” has been rejected for invalid domain. subdomain.secondarydomain.com
Cookie “app-domain_production_session” has been rejected for invalid domain. subdomain.secondarydomain.com
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. subdomain.secondarydomain.com
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
downloadable font: download failed (font-family: "Montserrat" style:normal weight:100 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. S6u8w4BMUTPHh30AXC-q.woff2
downloadable font: download failed (font-family: "Lato" style:normal weight:100 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/lato/v17/S6u8w4BMUTPHh30AXC-q.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. S6u8w4BMUTPHh30AXC-q.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
downloadable font: download failed (font-family: "Montserrat" style:normal weight:400 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
GEThttps://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
[HTTP/2 404 Not Found 198ms]

GEThttps://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/lato/v17/S6u8w4BMUTPHh30AXC-q.woff2
[HTTP/2 404 Not Found 198ms]

GEThttps://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
[HTTP/2 404 Not Found 214ms]

Cookie “app-domain_production_session” has been rejected for invalid domain. JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. S6u8w4BMUTPHh30AXC-q.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
downloadable font: download failed (font-family: "Montserrat" style:normal weight:100 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
downloadable font: download failed (font-family: "Lato" style:normal weight:100 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/lato/v17/S6u8w4BMUTPHh30AXC-q.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. S6u8w4BMUTPHh30AXC-q.woff2
downloadable font: download failed (font-family: "Montserrat" style:normal weight:400 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUSjIg1_i6t8kCHKm459Wlhyw.woff2

@rhand

1. Quite difficult to follow what you are saying. is your issue solved?
2. anotherdomain.com, is this Laravel code by you?
3. app-domain.com, is this Laravel code by you?
4. Are you loading anotherdomain.com which embed assets from app-domain.com?
5. OR are you loading app-domain.com which embed assets from anotherdomain.com?

Quite difficult to follow what you are saying. is your issue solved?

Same Sites Cookies warning is gone, but due to cookie rejection for invalid domain (secondary domain loading from app) I still do not get to load the Google Fonts.

anotherdomain.com, is this Laravel code by you?

Yes, both app domain and anotherdomain is by me. Anotherdomain is domain some sites are published one, but these load data from app-domain. And the app generates the cookies of course. Both domains point to the same server / ip.

app-domain.com, is this Laravel code by you?

Yes , main app is where all requests arrive and some get data and load it under anotherdomain.com. When they do Google Fonts are blocked. When under app-domain.com all is fine.

Are you loading anotherdomain.com which embed assets from app-domain.com?

Via our Axios JSON API we load data from database connected to web app server. So.. yes.

OR are you loading app-domain.com which embed assets from anotherdomain.com?

No, app-domain is main domain where content is added and published. Content is just served on app-domain.. without issues AND anotherdomain.com for clients where the cookie and font issues occur.

@rhand

Ok, so you are saying,

1. When you load a page on anotherdomain.com, it pulls google fonts from app-domain.com which fails
2. What is the error from 1? Show the full actual browser error logs please

Well as I posted I now see this where secondary domain is client site that tries to load fonts from fonts directory in app on same server. But cookies are created for app-domain and not secondary domain I assume and that is part of the issue. So though both are on same server XSRF says secondary domain not accepted as that is not... app-domain:

Cookie “XSRF-TOKEN” has been rejected for invalid domain. subdomain.secondarydomain.com
Cookie “app-domain_production_session” has been rejected for invalid domain. subdomain.secondarydomain.com
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. subdomain.secondarydomain.com
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
downloadable font: download failed (font-family: "Montserrat" style:normal weight:100 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. S6u8w4BMUTPHh30AXC-q.woff2
downloadable font: download failed (font-family: "Lato" style:normal weight:100 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/lato/v17/S6u8w4BMUTPHh30AXC-q.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. S6u8w4BMUTPHh30AXC-q.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
downloadable font: download failed (font-family: "Montserrat" style:normal weight:400 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
GEThttps://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
[HTTP/2 404 Not Found 198ms]

GEThttps://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/lato/v17/S6u8w4BMUTPHh30AXC-q.woff2
[HTTP/2 404 Not Found 198ms]

GEThttps://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
[HTTP/2 404 Not Found 214ms]

Cookie “app-domain_production_session” has been rejected for invalid domain. JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. S6u8w4BMUTPHh30AXC-q.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
downloadable font: download failed (font-family: "Montserrat" style:normal weight:100 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
downloadable font: download failed (font-family: "Lato" style:normal weight:100 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/lato/v17/S6u8w4BMUTPHh30AXC-q.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. S6u8w4BMUTPHh30AXC-q.woff2
downloadable font: download failed (font-family: "Montserrat" style:normal weight:400 stretch:100 src index:2): status=2147746065 source: https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUSjIg1_i6t8kCHKm459Wlhyw.woff2
Cookie “app-domain_production_session” has been rejected for invalid domain. JTUSjIg1_i6t8kCHKm459Wlhyw.woff2

@rhand

1. Why is there subdomain.secondarydomain.com in the picture?
2. If you load https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2 in your browser, what happens?

Why is there subdomain.secondarydomain.com in the picture?

This is where the published site from the user is located. They get a subdomain of a secondary domain to test their site before adding it to a custom domain. And as I said data is always loaded via our API as both custom domains , secondary subdomains and subs of app domain load from same server / ip api.

If you load https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2 in your browser, what happens?

Then we get a Laravel 404 page as the font was never properly added to begin with on publication. And that seems to be due to CSRF / XSRF. When published on a subdomain of main or app domain (only for app-domain admins) these issues do NOT occur.

@rhand

I hope you can see why I'm quite confused.

1. app-domain.com - Laravel and by you
2. anotherdomain.com - Laravel and by you
3. Is subdomain.secondarydomain.com - Is it Laravel and by you?
4. If yes, then what is stopping you from making the font load properly at https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2 instead of throwing a 404?

1. user goes to app-domain on app server
2. user creates content with text using Google Fonts on app server
3. user publishes site and opens it on sub.anotherdomain - client domain under which their test site can be viewed using a subdomain.
4. user sees all content with system fonts as we have cookie issue and Google font not found issues apparently due to cookie issues.

PS sub.anotherdomain.com loads all from app server and point to that server too.

@rhand good, clearer now, but I still cannot fit secondarydomain.com into the picture. Is secondarydomain.com == anotherdomain.com?

You know your error is coming from secondarydomain.com correct?

Is secondarydomain.com == anotherdomain.com?

Yes, sorry about that. anotherdomain is the secondary domain here.

You know your error is coming from secondarydomain.com correct?

Yes, for sure. All sites published and loaded under sub.app-domain.com are loading and publishing just fine as they do not suffer the CSRF issues like on sub.secondarydomain.com .

@rhand ok, got it.

Now, let's find out why https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2 doesn't load

1. Does the woff2 file exists inside the Laravel folder?
2. If yes, please show full path
3. If not, then... something in your publishing code on app-domain.com isn't working

Only one of the 4 Google Fonts was published. And that one sometimes fails to publish as well:

forge@xxx-prod-w-2:~/appdomain.com/current$ cd ~/appdomain.com/shared/public/published/sub.secondarydomain.com/fonts/
forge@smt-prod-w-2:~/appdomain.com/shared/public/published/sub.secondarydomain.com/fonts$ ll
total 12
drwxr-xr-x+ 3 forge forge 4096 Oct 21 01:06 ./
drwx------+ 5 forge forge 4096 Oct 21 01:06 ../
drwxr-xr-x+ 3 forge forge 4096 Oct 21 01:06 opensans/

and

forge@xxx-prod-w-2:~/appdomain.com/shared/public/published/sub.secondarydomain.com/fonts/opensans/v18$ ll
total 788
drwxr-xr-x+ 2 forge forge  4096 Oct 21 01:06 ./
drwxr-xr-x+ 3 forge forge  4096 Oct 21 01:06 ../
-rw-r--r--+ 1 forge forge  8104 Oct 21 01:06 mem5YaGs126MiZpBA-UN7rgOUehpOqc.woff2
-rw-r--r--+ 1 forge forge 15056 Oct 21 01:06 mem5YaGs126MiZpBA-UN7rgOUuhp.woff2
-rw-r--r--+ 1 forge forge  9560 Oct 21 01:06 mem5YaGs126MiZpBA-UN7rgOVuhpOqc.woff2
-rw-r--r--+ 1 forge forge 17568 Oct 21 01:06 mem5YaGs126MiZpBA-UN7rgOX-hpOqc.woff2
-rw-r--r--+ 1 forge forge 11708 Oct 21 01:06 mem5YaGs126MiZpBA-UN7rgOXOhpOqc.woff2
-rw-r--r--+ 1 forge forge  6364 Oct 21 01:06 mem5YaGs126MiZpBA-UN7rgOXehpOqc.woff2
...

Yeah, so either an issue in the PublishController and or a CSRF restriction issue as I still have the cookie issues with invalid domain as well.

@rhand

The issue seems more of your publishing logic rather than CSRF issue. For now, my suggestion is:

1. Fix https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2 by manually publishing the file first
2. Test by loading the link in a browser until it no longer 404
3. Then test by loading the published page

See if the CSRF issue persists.

Publication of fonts was a controller issue @laracoft . Thanks for all the help so far! The cookie issue

Cookie “XSRF-TOKEN” has been rejected for invalid domain. sub.secondarydomain.com
Cookie “appdomain_production_session” has been rejected for invalid domain.

is still there but does not cause the fonts not to load. Happy to have made progress!

@rhand ok.

1. On your CLI, do ping sub.secondarydomain.com and see if resolves to an IP address.
2. If it does not, you have to meddle with your DNS. Probably a CNAME or A entry of * for secondarydomain.com

Pings go just fine. Do think I need to set sessions cookie and XSRF cookie in a different way...

➜  ~ ping sub.secondarydomain.com
PING sub.secondarydomain.com (xxx.xxx.xxx.xx): 56 data bytes
64 bytes from xxx.xxx.xxx.xx: icmp_seq=0 ttl=51 time=178.575 ms
64 bytes from xxx.xxx.xxx.xx: icmp_seq=1 ttl=51 time=180.815 ms
64 bytes from xxx.xxx.xxx.xx: icmp_seq=2 ttl=51 time=181.551 ms
64 bytes from xxx.xxx.xxx.xx: icmp_seq=3 ttl=51 time=207.826 ms
64 bytes from xxx.xxx.xxx.xx: icmp_seq=4 ttl=51 time=181.482 ms
64 bytes from xxx.xxx.xxx.xx: icmp_seq=5 ttl=51 time=181.387 ms
64 bytes from xxx.xxx.xxx.xx: icmp_seq=6 ttl=51 time=178.661 ms
^C
--- sub.secondarydomain.com ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 178.575/184.328/207.826/9.667 ms

note: my location is very far away from server location

@rhand

Can you show the HTTP headers for https://subdomain.secondarydomain.com/published/subdomain.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2 ?

Also, is it sub.secondarydomain.com or subdomain.secondarydomain.com? Please use the original domains or redact properly, otherwise I have to second guess your logs on top of having to mentally debug.

Here is it. Also, sub is short for subdomain on the secondarydomain:

GET
	
scheme	https
host sub.secondarydomain.com
filename /published/sub.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2
Address xxxx.xxx.xxx.xx:443
Status200 OK
Version HTTP/2
Transferred 18.35 KB (17.95 KB size)
Referrer Policy no-referrer-when-downgrade

accept-ranges bytes
cache-controlmax-age=2592000
content-length 18376
content-type application/octet-stream
date Wed, 21 Oct 2020 06:18:49 GMT
etag "5f8fce0e-47c8"
expires Fri, 20 Nov 2020 06:18:49 GMT
last-modified Wed, 21 Oct 2020 05:58:38 GMT
server nginx
x-content-type-options nosniff
X-Firefox-Spdy h2
x-frame-options SAMEORIGIN
x-xss-protection 1; mode=block
	
Accept application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Encoding identity
Accept-Language en-US,en;q=0.5
Cache-Control no-cache
Connectionkeep-alive
Host sub.secondarydomain.com
Pragma no-cache
Referer https://sub.secondarydomain.com/published/sub.secondarydomain.com/css/fonts.css?ver=20201021075837
TE Trailers
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0

note was hard load without cache so all fonts would be loaded.

@rhand

From the machines' point of view, sub.secondarydomain.com is a completely different domain from subdomain.secondarydomain.com.

1. Can confirm sub.* works? https://sub.secondarydomain.com/published/sub.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2 loads in browser ok?
2. Also, I meant the HTTP response headers, what you have there seems to be the HTTP request headers.

We could try

 - 'domain' => env('SESSION_DOMAIN', '.' . config('app.domain')),
 + 'domain' => env('SESSION_DOMAIN', null),

but I also worry about security so need to look into this some more.

@laracoft

Can confirm sub.* works? https://sub.secondarydomain.com/published/sub.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2 loads in browser ok?

Yes, can be downloaded.

Also, I meant the HTTP response headers, what you have there seems to be the HTTP request headers.

That would be

d09GMgABAAAAADgsABEAAAAAapwAADfKAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGhYbEBx0BmAAggwIgSIJjzQREAqBp1SBkDILg04AATYCJAOHEAQgBYNaB4R4DIIJGwJcVQd62DgAwL98dFHUDcppyez/Twl0yLBlGhgcLyIAzyrdW5RXqssLDX4LS0M/lESows08+/bWYdfM1zOWwQ1YYXnSUYu3MQ7hOg5HXww8ttbiza0kBNKI//qnytfXp4P7wAhJZlse+tYif1VX9+wesKKAQoWsEHxkJJInofJi3EWBApRADj3RTg/w7vpnZ+9Q9iFlzKIkY2ZnrYxVcfaJzJk4+7JWOrdxHLlhnXN7ue/W/P+rpvVJBAIgIkESZJ4U1hpJdJq9MLo0Ptny7haN3xXV1nWI7eUqJRBgTnWJyO5GUU5/n9N878sEcoAU+Mpfe8FhL4EMUuxqyaAZKensSKFxyugCafHaw6nHfSp699Rr+XBFOrXHZr79+dEY8kpaFvJhwutizCsBFbrzhAT3/rivzb4qIMmkioawrkc97dGloZlk/jCmK4bUBTLr2f/+fUXtqgpkTXxfNeuDAAhGiaJG8sgpbEi6d9Vlb+UNsSy3LU/d1CJFDMKO8/Dq8iUVcWPxSVCMSSxpf29q2v7FAtSSdzcSFHmSExWhkItKGc5wqDQuGo+L5v/3/+7H38UuEYjTApcQeCGDewnkncdcrAIApcRT5ZBaq3IJ4BRA3pmDy0wzcoi5dGW6irFL07uuQ27tou68rFkRCCC2KVlkGmLEyF7/3TGm1nN2pbW/bPtvGxtRERFOQMFIxo99PgEA9kmMvBc/RcjFHk4WMxUnU2OIK+UhchoAAngBwGqQMvhwQlQMKBAe0mAAIMM8PzQ+QASQoUKTrkd4ABxPD/M+N49xi1su6GnfcGN9WRwe3reiEV9vZ3T4QKgH02g74uPjJs69Y7RemfUy4ByA20A69z3rwhvbaAAFPP+OcZVRtqnLoLMArl4AhetsgLPwAIAAeETv4eUS13B/fPECKnBcFLlqy/9cR+DzfF7Ju3n/LG7wFrwXfIxP8Gk+ywu8xE/yGifzCbWcHfj//7mbE2dx4arPNdsBC9+GZx3lY3zyxa7wE7/bmj+gz6dzmdy8MGtnyqqx+/X31d+Xj2893n689XjGpAmjmLq0qxPzKDyafYXrvke4gGzYkCHPs7MjotxHvx6EFI6MJmW+d0HPeow0NJP+v3UerrT5dh0t3vgK63lZbAOfpa8o8QBdg3qdKpWEOIDytdX1Nce2Ou1W8/KlixfOm/c06quGXqtWytq5s2dOnzp54vixo0eWlxYX5ucO7C/k94lZdWZsKCdnM+lkIh77qfb2hK5OUp7nDE/owqvP25w+1q0tl9eF4RL3OG0IFUS9DriKB+SKgjG9e0YkaVe349eO0xwo89Nwuv2mgtNXGMH7uNa03+j6GQ6nv+QLqVAhltIJVRVTjoDTKLelxlNdX3drczkGyURVVLcTkIcgkXyJJO5KB8QjAR44i9FwdkA/GTCI7f+ZIGRj3duiy01brymq6nQbGpQRte0pqLZ3FkWqFE3y3X4fMFzlwdynfm1fhg23mNoSW969NkleW2Nf0n3/LcoV6aCokf3cj8cyp2/T3EdWpyLFm8wWiyqzu28JUjgvC+7/i9AVf/35KuChCO7geQSxKmHLVrNSxRCG6/vR5oaf1nr9vd6SGV8WfpBK+Y
......./EC0NGOAtFuiSYIk6gjchqhI9ASxCfl09jxEuGuHVgeFEuQ+Kb9yWgSMlkgdWBrrCJwkEL9FMl50mdY+BFrx44zQSIiyaJAwvM4JZRBXEFuZ6xZnyTc4QRKzJIxFREXAbCYTEyJpMRQ0mQjCCZZu5coDnxhI+AlDDyKW4gs2c86wnFnwHxB9S0P1P+KQaAAEFACBAGRABRQAwQByRIkiJNhiw58hQoUqJMhSo16sA0aNICAaVNhy49+gwcY8RYWf/LMQWHYMacBUtWrNmwZcceEooDR2gYTrCc4bhw5cadB09evPnwhefHX4BAQYKFIAgVJlyESFEmDCpDc0G718rVq3HSqKHgUR28SrX45LM6HSpd9tBHPcZ89cU3AyZxrJsSLUajWFfF2bDpjXh7tu2YluBIk1tu2pfonUNVkhAlS5UiTZ90mTJkIaEgy5bjrePy5MpXqMCifsWKnFDivQ/OOjBj1m0P3DFnHttpq1gWrKkwHnwxXHTJ+RBQi9t/IoZxTGASU5jGDGZRxhwO4CDMwTe+9JWv66EnH3gg+uRDu0tL5Vr84ae2H/vT37HIbwOPRf4gth76nwugwiqjsrScJ1dSvz1b+33ssEVZWVIhcMJXOcPQDQOjUWOyfKVSbcEshR0cZjs72rtxtc4tjtPWTF2it8c0ZqfPTd+eli6YhZnzZmnGNPIzhcOylS/ts8YH97KQUrwU/9zgpUaTwdKAFUbJCpUakTQF6Zx0W5JWjfGZPwwUpVlrsqRYI6VhKwe2JZdMg2z2UpbNZL8x7In2PggRhmBhCayH4WW4Df8IHQJ8eQTD2MdbQaddLJr96F7LpPjldcK3Kd/+uFZrrlHEdg7W2rodIN5w3rh+HSpTJq20beJTjpe2JpSnghGoOI8/XixeefyJJ4uZ/UTxce8C+mVy7AoAAA==

note shortened it some

@rhand

No, that's not it. See https://imgur.com/a/9GQpXc3

Do think I added that in first headers but here we go:

accept-ranges bytes
cache-control max-age=2592000
content-length 19172
content-type application/octet-stream
date Wed, 21 Oct 2020 06:18:49 GMT
etag "5f8fce0f-4ae4"
expires Fri, 20 Nov 2020 06:18:49 GMT
last-modified Wed, 21 Oct 2020 05:58:39 GMT
server nginx
x-content-type-options nosniff
X-Firefox-Spdy h2
x-frame-options SAMEORIGIN
x-xss-protection 1; mode=block
accept-ranges bytes
cache-control max-age=2592000
content-length 19172
content-type application/octet-stream
date Wed, 21 Oct 2020 06:18:49 GMT
etag "5f8fce0f-4ae4"
expires Fri, 20 Nov 2020 06:18:49 GMT
last-modified Wed, 21 Oct 2020 05:58:39 GMT
server nginx
x-content-type-options nosniff
X-Firefox-Spdy h2
x-frame-options SAMEORIGIN
x-xss-protection 1; mode=blockaccept-ranges bytes
cache-control max-age=2592000
content-length 19172
content-type application/octet-stream
date Wed, 21 Oct 2020 06:18:49 GMT
etag "5f8fce0f-4ae4"
expires Fri, 20 Nov 2020 06:18:49 GMT
last-modified Wed, 21 Oct 2020 05:58:39 GMT
server nginx
x-content-type-options nosniff
X-Firefox-Spdy h2
x-frame-options SAMEORIGIN
x-xss-protection 1; mode=block

and here raw

HTTP/2 200 OK
server: nginx
date: Wed, 21 Oct 2020 06:18:49 GMT
content-type: application/octet-stream
content-length: 19172
last-modified: Wed, 21 Oct 2020 05:58:39 GMT
etag: "5f8fce0f-4ae4"
expires: Fri, 20 Nov 2020 06:18:49 GMT
cache-control: max-age=2592000
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
accept-ranges: bytes
X-Firefox-Spdy: h2

@rhand my bad. The headers are quite similar, I took a better look.

Are you able to get this x-frame-options SAMEORIGIN and x-xss-protection 1; mode=block removed? i.e. when we load https://sub.secondarydomain.com/published/sub.secondarydomain.com/fonts/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7m.woff2, those 2 headers no longer appear.

Sorry for the late response.. Other things came up including a short local break.

As mentioned earlier we set up

 - 'domain' => env('SESSION_DOMAIN', '.' . config('app.domain')),
 + 'domain' => env('SESSION_DOMAIN', null),

and that seems to be doing the trick dealing with these issues. If I do hit another snag I will post back. Thanks a lot for all @laracoft !

@rhand

Do mark an answer that solves the problem. Thank you.