Overview
In order to showcase models stored on Amazon S3, we rely on the use of the Three.JS Javascript library for visualization.
For loading models, I exclusively utilize the JSONLoader due to its comprehensive toolchain support. Other formats such as COLLADA or OBJ are not as well-supported by the loader libraries included with Three.JS (they can be found in the "examples" source tree, while JSONLoader is located in the core loaders folder).
Given the size of our model files, we opt to store them along with their assets on Amazon S3 storage - a cost-effective solution for bandwidth and space. The goal is for our web application utilizing Three.JS to seamlessly load models from our Amazon S3 repository.
Issue
Unfortunately, because the models are Javascript files (e.g. "modelBlah.js"), most browsers flag a violation of the same-origin policy when loaded via JSONLoader. This means we're fetching and attempting to execute scripts from a different domain than the main app script, which raises security concerns.
Essentially, we may have overlooked established web security practices.
Potential Solutions Explored
Self-hosting models? Despite currently using Heroku, we prefer a service focused on robust data hosting over managing it ourselves.
Utilizing DNAME records for spoofing resource origins? Browser security measures are still triggered by the subdomain used for media hosting, rendering this approach ineffective.
Implementing CORS, particularly Access-Control-Allow-Origin headers? Initial investigation suggests limitations within Amazon S3, though further research is needed to determine if this would adequately address the issue.
Any insights or suggestions are welcome.