#13267 closed feature (fixed)
CDNs should publish a "Access-Control-Allow-Origin: *" header
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | low | Milestone: | None |
| Component: | misc | Version: | git |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
For applications and services that are trying to track errors using window.onerror, since jQuery is loaded off a CDN, most modern browsers don't post any data to the window.onerror handler. Instead, they only say "Script error" on "line 0". Relevant Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=363897
Since this is a severe limitation for error recording, browsers are now adding support for letting x-domain scripts post errors to window.onerror. (Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=696301, Webkit: https://bugs.webkit.org/show_bug.cgi?id=81438). However, these mechanisms require that the x-origin script (jQuery loaded from the CDN in this case) should specify the "Access-Control-Allow-Origin" header.
I suggest that jQuery should send the CORS headers for the js file, so that people can continue to use jQuery from the CDN while recording errors with window.onerror.
This has no adverse effects, AFAICT at least, on regular jQuery usage otherwise.
Change History (4)
comment:1 Changed 11 years ago by
| Component: | unfiled → misc |
|---|---|
| Milestone: | None → 1.9.1 |
| Priority: | undecided → low |
| Status: | new → open |
comment:2 Changed 11 years ago by
| Milestone: | 1.9.1 → None |
|---|---|
| Resolution: | → fixed |
| Status: | open → closed |
I added the header to the machine that serves this. It could take a while for it to fully propagate across all the versions on the CDN, but anything new should get served with this header.
comment:3 Changed 11 years ago by
Just to verify that this is indeed working:
http://danheberden.com/share/8ade20.png
and I forced a re-fetch from the CDN for 1.8.3, 1.7.2, and 1.6.4.
comment:4 Changed 11 years ago by
Thanks a ton. You guys rock!
For doc completeness, I just want to emphasise that if one really wants to track JS errors across domains using window.onerror, they'll have to add a crossorigin="anonymous" to their script tag. So, the script tag will look as follows:
<script src="http://code.jquery.com/jquery-1.8.2.js" crossorigin="anonymous"></script>
This is as described here: https://bugzilla.mozilla.org/show_bug.cgi?id=696301
Also of note is that crossorigin="anonymous" should only be used if the CORS headers are sent. If crossorigin is used without the CORS headers, the script will not be evaluated at all (at least in Firefox). Described here: https://bugzilla.mozilla.org/show_bug.cgi?id=832587
Wow, all news to me. This seems like a reasonable request. This is more an infrastructure thing but since I have no idea where to put it I'll leave it here for Dan or Corey to look at.