# Re: [sysreq #12077] CORS headers needed for MathJax fonts, allowing access from

From: Bert Bos via RT <sysreq@w3.org>
Date: Fri, 22 Sep 2017 11:31:30 +0000
Message-ID: <rt-4.2.8-1559-1506079889-713.12077-18-0@w3.org>


> On 22 Sep 2017, at 09:33, Vivien Lacourba via RT <sysreq@w3.org> wrote:
>
> Hi Chris,
>
> On Thu Sep 21 18:56:24 2017, chris wrote:
>> Hi sysreq,
>>
>> (Bert copied as maintainer of the W3C MathJax instance, WG copied
>> because of issue 1329 )
>> https://github.com/WebAudio/web-audio-api/issues/1329
>>
>> The Web Audio spec uses MathJax. The editors draft, at
>> https://webaudio.github.io/web-audio-api/ gives browser console errors
>> because of the cross origin font request (which is correct, per spec)
>> and so I am asking for an Access-Control-Allow-Origin header to be
>>
>> Here is a sample error (similar ones for the other fonts)
>>
>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>> the remote resource at
>> https://www.w3.org/scripts/MathJax/2.6.1/fonts/HTML-
>> CSS/TeX/woff/MathJax_Size4-Regular.woff?rev=2.6.1.
>> (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
>>
>>
>> style:normal weight:normal stretch:normal src index:0): bad URI or
>> cross-site access not allowed source:
>> https://www.w3.org/scripts/MathJax/2.6.1/fonts/HTML-
>> CSS/TeX/woff/MathJax_Size4-Regular.woff?rev=2.6.1
>>
>> https://www.w3.org/wiki/CORS_Enabled
>> https://www.webcodegeeks.com/web-servers/cors-and-how-to-enable-it-in-
>> apache-web-server/
>> https://enable-cors.org/server_apache.html
>>
>> Thanks!
>
> I am adding José (our CORS expert inside Systeam), Antonio (owner of /scripts/) to the loop, they will give you a definitive answer here.
>
> We could add CORS headers to allow any origin ("*") to use content from w3.org/scripts but that seem to defeat the good practice we tried to put in place for the /scripts area:
>
> extract from https://www.w3.org/scripts/ :
> [[
> This is W3C's central repository of JS modules and frameworks. Please consider the following:
> * These resources are intended to be persistent and immutable
> * Because of that, you are welcomed (read “encouraged”) to link to these files from any specs, documents and pages hosted under w3.org
> * Please do not link to these files from external pages or sites (you may consider using a CDN instead)
> ]]
>
> I am not sure if we could allow github.io in addition to w3.org as I don't think you can allow multiple origin (it seems to be either one or any):
>
> [[ Access-Control-Allow-Origin: <origin> | * ]]

But if I remember correctly, that one <origin> isn’t a fixed string. It is determined dynamically, because it has to be an exact copy of the Origin header in the HTTP request. It’s not easy, but I think you can allow multiple origins with some Apache trickery. A real Apache expert should look at it, but I think it is something like this:

# Set %{ORIGIN} if request contains www.w3.org or webaudio.github.io:
SetEnvIfNoCase Origin (https?://www.w3.org(:.*)?) ORIGIN=$1 SetEnvIfNoCase Origin (https?://webaudio.github.io(:.*)?) ORIGIN=$1

# If the request is for a .woff and we recognized the Origin, set CORS:
<Files *.woff>
</Files>

Of course, it complicates maintenance of our server. Maybe in a few months other groups want to use it, too, and in a few years we will no doubt replace github by something else... I’m not volunteering to manage CORS stuff. :-)

Bert
--
Bert Bos                                ( W 3 C ) http://www.w3.org/
http://www.w3.org/people/bos                               W3C/ERCIM
bert@w3.org                             2004 Rt des Lucioles / BP 93
+33 (0)4 92 38 76 92            06902 Sophia Antipolis Cedex, France


Received on Friday, 22 September 2017 11:31:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:03:34 UTC