W3C home > Mailing lists > Public > public-audio@w3.org > July to September 2017

Re: [sysreq #12077] CORS headers needed for MathJax fonts, allowing access from

From: Bert Bos via RT <sysreq@w3.org>
Date: Fri, 22 Sep 2017 11:31:30 +0000
Message-ID: <rt-4.2.8-1559-1506079889-713.12077-18-0@w3.org>
CC: public-audio@w3.org

> On 22 Sep 2017, at 09:33, Vivien Lacourba via RT <sysreq@w3.org> wrote:
> 
> Hi Chris,
> 
> On Thu Sep 21 18:56:24 2017, chris wrote:
>> Hi sysreq,
>> 
>> (Bert copied as maintainer of the W3C MathJax instance, WG copied
>> because of issue 1329 )
>> https://github.com/WebAudio/web-audio-api/issues/1329
>> 
>> The Web Audio spec uses MathJax. The editors draft, at
>> https://webaudio.github.io/web-audio-api/ gives browser console errors
>> because of the cross origin font request (which is correct, per spec)
>> and so I am asking for an Access-Control-Allow-Origin header to be
>> added, enabling webaudio.github.io.
>> 
>> Here is a sample error (similar ones for the other fonts)
>> 
>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>> the remote resource at
>> https://www.w3.org/scripts/MathJax/2.6.1/fonts/HTML-
>> CSS/TeX/woff/MathJax_Size4-Regular.woff?rev=2.6.1.
>> (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
>> 
>> which leads to
>> 
>> downloadable font: download failed (font-family: "MathJax_Size4"
>> style:normal weight:normal stretch:normal src index:0): bad URI or
>> cross-site access not allowed source:
>> https://www.w3.org/scripts/MathJax/2.6.1/fonts/HTML-
>> CSS/TeX/woff/MathJax_Size4-Regular.woff?rev=2.6.1
>> 
>> There is documentation here on adding CORS headers
>> https://www.w3.org/wiki/CORS_Enabled
>> https://www.webcodegeeks.com/web-servers/cors-and-how-to-enable-it-in-
>> apache-web-server/
>> https://enable-cors.org/server_apache.html
>> 
>> Thanks!
> 
> I am adding José (our CORS expert inside Systeam), Antonio (owner of /scripts/) to the loop, they will give you a definitive answer here.
> 
> We could add CORS headers to allow any origin ("*") to use content from w3.org/scripts but that seem to defeat the good practice we tried to put in place for the /scripts area:
> 
> extract from https://www.w3.org/scripts/ :
> [[
> This is W3C's central repository of JS modules and frameworks. Please consider the following:
> * These resources are intended to be persistent and immutable
> * Because of that, you are welcomed (read “encouraged”) to link to these files from any specs, documents and pages hosted under w3.org
> * Please do not link to these files from external pages or sites (you may consider using a CDN instead)
> ]]
> 
> I am not sure if we could allow github.io in addition to w3.org as I don't think you can allow multiple origin (it seems to be either one or any):
> 
> [[ Access-Control-Allow-Origin: <origin> | * ]]

But if I remember correctly, that one <origin> isn’t a fixed string. It is determined dynamically, because it has to be an exact copy of the Origin header in the HTTP request. It’s not easy, but I think you can allow multiple origins with some Apache trickery. A real Apache expert should look at it, but I think it is something like this:

   # Set %{ORIGIN} if request contains www.w3.org or webaudio.github.io:
   SetEnvIfNoCase Origin (https?://www.w3.org(:.*)?) ORIGIN=$1
   SetEnvIfNoCase Origin (https?://webaudio.github.io(:.*)?) ORIGIN=$1

   # If the request is for a .woff and we recognized the Origin, set CORS:
   <Files *.woff>
     Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
   </Files>

Of course, it complicates maintenance of our server. Maybe in a few months other groups want to use it, too, and in a few years we will no doubt replace github by something else... I’m not volunteering to manage CORS stuff. :-)



Bert
--
  Bert Bos                                ( W 3 C ) http://www.w3.org/
  http://www.w3.org/people/bos                               W3C/ERCIM
  bert@w3.org                             2004 Rt des Lucioles / BP 93
  +33 (0)4 92 38 76 92            06902 Sophia Antipolis Cedex, France



Received on Friday, 22 September 2017 11:31:31 UTC

This archive was generated by hypermail 2.3.1 : Friday, 22 September 2017 11:31:32 UTC