Side navigation
#13267 closed feature (fixed)
Opened January 19, 2013 08:21AM UTC
Closed January 19, 2013 09:03PM UTC
Last modified January 21, 2013 01:15PM UTC
CDNs should publish a "Access-Control-Allow-Origin: *" header
| Reported by: | rakeshpai@errorception.com | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | None |
| Component: | misc | Version: | git |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
For applications and services that are trying to track errors using window.onerror, since jQuery is loaded off a CDN, most modern browsers don't post any data to the window.onerror handler. Instead, they only say "Script error" on "line 0". Relevant Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=363897
Since this is a severe limitation for error recording, browsers are now adding support for letting x-domain scripts post errors to window.onerror. (Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=696301, Webkit: https://bugs.webkit.org/show_bug.cgi?id=81438). However, these mechanisms require that the x-origin script (jQuery loaded from the CDN in this case) should specify the "Access-Control-Allow-Origin" header.
I suggest that jQuery should send the CORS headers for the js file, so that people can continue to use jQuery from the CDN while recording errors with window.onerror.
This has no adverse effects, AFAICT at least, on regular jQuery usage otherwise.
Attachments (0)
Change History (4)
Changed January 19, 2013 08:01PM UTC by comment:1
| component: | unfiled → misc |
|---|---|
| milestone: | None → 1.9.1 |
| priority: | undecided → low |
| status: | new → open |
Changed January 19, 2013 09:03PM UTC by comment:2
| milestone: | 1.9.1 → None |
|---|---|
| resolution: | → fixed |
| status: | open → closed |
I added the header to the machine that serves this. It could take a while for it to fully propagate across all the versions on the CDN, but anything new should get served with this header.
Changed January 21, 2013 01:08PM UTC by comment:3
Just to verify that this is indeed working:
http://danheberden.com/share/8ade20.png
and I forced a re-fetch from the CDN for 1.8.3, 1.7.2, and 1.6.4.
Changed January 21, 2013 01:15PM UTC by comment:4
Thanks a ton. You guys rock!
For doc completeness, I just want to emphasise that if one really wants to track JS errors across domains using window.onerror, they'll have to add a crossorigin="anonymous" to their script tag. So, the script tag will look as follows:
<script src="http://code.jquery.com/jquery-1.8.2.js" crossorigin="anonymous"></script>
This is as described here: https://bugzilla.mozilla.org/show_bug.cgi?id=696301
Also of note is that crossorigin="anonymous" should only be used if the CORS headers are sent. If crossorigin is used without the CORS headers, the script will not be evaluated at all (at least in Firefox). Described here: https://bugzilla.mozilla.org/show_bug.cgi?id=832587
Wow, all news to me. This seems like a reasonable request. This is more an infrastructure thing but since I have no idea where to put it I'll leave it here for Dan or Corey to look at.