Skip to main content

Bug Tracker

Side navigation

#13267 closed feature (fixed)

Opened January 19, 2013 08:21AM UTC

Closed January 19, 2013 09:03PM UTC

Last modified January 21, 2013 01:15PM UTC

CDNs should publish a "Access-Control-Allow-Origin: *" header

Reported by: Owned by:
Priority: low Milestone: None
Component: misc Version: git
Keywords: Cc:
Blocked by: Blocking:

For applications and services that are trying to track errors using window.onerror, since jQuery is loaded off a CDN, most modern browsers don't post any data to the window.onerror handler. Instead, they only say "Script error" on "line 0". Relevant Firefox bug:

Since this is a severe limitation for error recording, browsers are now adding support for letting x-domain scripts post errors to window.onerror. (Firefox:, Webkit: However, these mechanisms require that the x-origin script (jQuery loaded from the CDN in this case) should specify the "Access-Control-Allow-Origin" header.

I suggest that jQuery should send the CORS headers for the js file, so that people can continue to use jQuery from the CDN while recording errors with window.onerror.

This has no adverse effects, AFAICT at least, on regular jQuery usage otherwise.

Attachments (0)
Change History (4)

Changed January 19, 2013 08:01PM UTC by dmethvin comment:1

component: unfiledmisc
milestone: None1.9.1
priority: undecidedlow
status: newopen

Wow, all news to me. This seems like a reasonable request. This is more an infrastructure thing but since I have no idea where to put it I'll leave it here for Dan or Corey to look at.

Changed January 19, 2013 09:03PM UTC by gnarf comment:2

milestone: 1.9.1None
resolution: → fixed
status: openclosed

I added the header to the machine that serves this. It could take a while for it to fully propagate across all the versions on the CDN, but anything new should get served with this header.

Changed January 21, 2013 01:08PM UTC by danheberden comment:3

Just to verify that this is indeed working:

and I forced a re-fetch from the CDN for 1.8.3, 1.7.2, and 1.6.4.

Changed January 21, 2013 01:15PM UTC by comment:4

Thanks a ton. You guys rock!

For doc completeness, I just want to emphasise that if one really wants to track JS errors across domains using window.onerror, they'll have to add a crossorigin="anonymous" to their script tag. So, the script tag will look as follows:

<script src="" crossorigin="anonymous"></script>

This is as described here:

Also of note is that crossorigin="anonymous" should only be used if the CORS headers are sent. If crossorigin is used without the CORS headers, the script will not be evaluated at all (at least in Firefox). Described here: