Bug Tracker

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#13267 closed feature (fixed)

CDNs should publish a "Access-Control-Allow-Origin: *" header

Reported by: rakeshpai@… Owned by:
Priority: low Milestone: None
Component: misc Version: git
Keywords: Cc:
Blocked by: Blocking:


For applications and services that are trying to track errors using window.onerror, since jQuery is loaded off a CDN, most modern browsers don't post any data to the window.onerror handler. Instead, they only say "Script error" on "line 0". Relevant Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=363897

Since this is a severe limitation for error recording, browsers are now adding support for letting x-domain scripts post errors to window.onerror. (Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=696301, Webkit: https://bugs.webkit.org/show_bug.cgi?id=81438). However, these mechanisms require that the x-origin script (jQuery loaded from the CDN in this case) should specify the "Access-Control-Allow-Origin" header.

I suggest that jQuery should send the CORS headers for the js file, so that people can continue to use jQuery from the CDN while recording errors with window.onerror.

This has no adverse effects, AFAICT at least, on regular jQuery usage otherwise.

Change History (4)

comment:1 Changed 6 years ago by dmethvin

Component: unfiledmisc
Milestone: None1.9.1
Priority: undecidedlow
Status: newopen

Wow, all news to me. This seems like a reasonable request. This is more an infrastructure thing but since I have no idea where to put it I'll leave it here for Dan or Corey to look at.

comment:2 Changed 6 years ago by gnarf

Milestone: 1.9.1None
Resolution: fixed
Status: openclosed

I added the header to the machine that serves this. It could take a while for it to fully propagate across all the versions on the CDN, but anything new should get served with this header.

comment:3 Changed 6 years ago by danheberden

Just to verify that this is indeed working:


and I forced a re-fetch from the CDN for 1.8.3, 1.7.2, and 1.6.4.

comment:4 Changed 6 years ago by rakeshpai@…

Thanks a ton. You guys rock!

For doc completeness, I just want to emphasise that if one really wants to track JS errors across domains using window.onerror, they'll have to add a crossorigin="anonymous" to their script tag. So, the script tag will look as follows:

<script src="http://code.jquery.com/jquery-1.8.2.js" crossorigin="anonymous"></script>

This is as described here: https://bugzilla.mozilla.org/show_bug.cgi?id=696301

Also of note is that crossorigin="anonymous" should only be used if the CORS headers are sent. If crossorigin is used without the CORS headers, the script will not be evaluated at all (at least in Firefox). Described here: https://bugzilla.mozilla.org/show_bug.cgi?id=832587

Note: See TracTickets for help on using tickets.