- From: Bert Bos via RT <sysreq@w3.org>
- Date: Fri, 22 Sep 2017 11:31:30 +0000
- CC: public-audio@w3.org
- Message-ID: <rt-4.2.8-1559-1506079889-713.12077-18-0@w3.org>
> On 22 Sep 2017, at 09:33, Vivien Lacourba via RT <sysreq@w3.org> wrote:
>
> Hi Chris,
>
> On Thu Sep 21 18:56:24 2017, chris wrote:
>> Hi sysreq,
>>
>> (Bert copied as maintainer of the W3C MathJax instance, WG copied
>> because of issue 1329 )
>> https://github.com/WebAudio/web-audio-api/issues/1329
>>
>> The Web Audio spec uses MathJax. The editors draft, at
>> https://webaudio.github.io/web-audio-api/ gives browser console errors
>> because of the cross origin font request (which is correct, per spec)
>> and so I am asking for an Access-Control-Allow-Origin header to be
>> added, enabling webaudio.github.io.
>>
>> Here is a sample error (similar ones for the other fonts)
>>
>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>> the remote resource at
>> https://www.w3.org/scripts/MathJax/2.6.1/fonts/HTML-
>> CSS/TeX/woff/MathJax_Size4-Regular.woff?rev=2.6.1.
>> (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
>>
>> which leads to
>>
>> downloadable font: download failed (font-family: "MathJax_Size4"
>> style:normal weight:normal stretch:normal src index:0): bad URI or
>> cross-site access not allowed source:
>> https://www.w3.org/scripts/MathJax/2.6.1/fonts/HTML-
>> CSS/TeX/woff/MathJax_Size4-Regular.woff?rev=2.6.1
>>
>> There is documentation here on adding CORS headers
>> https://www.w3.org/wiki/CORS_Enabled
>> https://www.webcodegeeks.com/web-servers/cors-and-how-to-enable-it-in-
>> apache-web-server/
>> https://enable-cors.org/server_apache.html
>>
>> Thanks!
>
> I am adding José (our CORS expert inside Systeam), Antonio (owner of /scripts/) to the loop, they will give you a definitive answer here.
>
> We could add CORS headers to allow any origin ("*") to use content from w3.org/scripts but that seem to defeat the good practice we tried to put in place for the /scripts area:
>
> extract from https://www.w3.org/scripts/ :
> [[
> This is W3C's central repository of JS modules and frameworks. Please consider the following:
> * These resources are intended to be persistent and immutable
> * Because of that, you are welcomed (read “encouraged”) to link to these files from any specs, documents and pages hosted under w3.org
> * Please do not link to these files from external pages or sites (you may consider using a CDN instead)
> ]]
>
> I am not sure if we could allow github.io in addition to w3.org as I don't think you can allow multiple origin (it seems to be either one or any):
>
> [[ Access-Control-Allow-Origin: <origin> | * ]]
But if I remember correctly, that one <origin> isn’t a fixed string. It is determined dynamically, because it has to be an exact copy of the Origin header in the HTTP request. It’s not easy, but I think you can allow multiple origins with some Apache trickery. A real Apache expert should look at it, but I think it is something like this:
# Set %{ORIGIN} if request contains www.w3.org or webaudio.github.io:
SetEnvIfNoCase Origin (https?://www.w3.org(:.*)?) ORIGIN=$1
SetEnvIfNoCase Origin (https?://webaudio.github.io(:.*)?) ORIGIN=$1
# If the request is for a .woff and we recognized the Origin, set CORS:
<Files *.woff>
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
</Files>
Of course, it complicates maintenance of our server. Maybe in a few months other groups want to use it, too, and in a few years we will no doubt replace github by something else... I’m not volunteering to manage CORS stuff. :-)
Bert
--
Bert Bos ( W 3 C ) http://www.w3.org/
http://www.w3.org/people/bos W3C/ERCIM
bert@w3.org 2004 Rt des Lucioles / BP 93
+33 (0)4 92 38 76 92 06902 Sophia Antipolis Cedex, France
Received on Friday, 22 September 2017 11:31:31 UTC