[sysreq #12077] CORS headers needed for MathJax fonts, allowing access from from Vivien Lacourba via RT on 2017-09-22 (public-audio@w3.org from July to September 2017)

From: Vivien Lacourba via RT <sysreq@w3.org>
Date: Fri, 22 Sep 2017 07:33:45 +0000
CC: bert@w3.org, public-audio@w3.org
Message-ID: <rt-4.2.8-1558-1506065620-1196.12077-18-0@w3.org>

Hi Chris,

On Thu Sep 21 18:56:24 2017, chris wrote:
> Hi sysreq,
> 
> (Bert copied as maintainer of the W3C MathJax instance, WG copied
> because of issue 1329 )
> https://github.com/WebAudio/web-audio-api/issues/1329
> 
> The Web Audio spec uses MathJax. The editors draft, at
> https://webaudio.github.io/web-audio-api/ gives browser console errors
> because of the cross origin font request (which is correct, per spec)
> and so I am asking for an Access-Control-Allow-Origin header to be
> added, enabling webaudio.github.io.
> 
> Here is a sample error (similar ones for the other fonts)
> 
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
> the remote resource at
> https://www.w3.org/scripts/MathJax/2.6.1/fonts/HTML-
> CSS/TeX/woff/MathJax_Size4-Regular.woff?rev=2.6.1.
> (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
> 
> which leads to
> 
> downloadable font: download failed (font-family: "MathJax_Size4"
> style:normal weight:normal stretch:normal src index:0): bad URI or
> cross-site access not allowed source:
> https://www.w3.org/scripts/MathJax/2.6.1/fonts/HTML-
> CSS/TeX/woff/MathJax_Size4-Regular.woff?rev=2.6.1
> 
> There is documentation here on adding CORS headers
> https://www.w3.org/wiki/CORS_Enabled
> https://www.webcodegeeks.com/web-servers/cors-and-how-to-enable-it-in-
> apache-web-server/
> https://enable-cors.org/server_apache.html
> 
> Thanks!

I am adding José (our CORS expert inside Systeam), Antonio (owner of /scripts/) to the loop, they will give you a definitive answer here.

We could add CORS headers to allow any origin ("*") to use content from w3.org/scripts but that seem to defeat the good practice we tried to put in place for the /scripts area:

extract from https://www.w3.org/scripts/ :
[[
This is W3C's central repository of JS modules and frameworks. Please consider the following:
* These resources are intended to be persistent and immutable
* Because of that, you are welcomed (read “encouraged”) to link to these files from any specs, documents and pages hosted under w3.org
* Please do not link to these files from external pages or sites (you may consider using a CDN instead)
]]

I am not sure if we could allow github.io in addition to w3.org as I don't think you can allow multiple origin (it seems to be either one or any):

[[ Access-Control-Allow-Origin: <origin> | * ]]

Vivien

Received on Friday, 22 September 2017 07:33:47 UTC