Page MenuHomeMiraheze

Cross-Origin requests blocked to static.miraheze.org
Closed, ResolvedPublic

Description

Attempting to load font files (and probably other resources) from static.miraheze.org fails with a message logged to browser consoles.

This apparently is broken in IE, Edge, Firefox, and Chrome, although Paladox said Safari worked.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.miraheze.org/concordancewiki/f/fd/ConcordanceExtended.otf. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More]

The "Learn More" links here.

Note that apparently CORS != CSP, and I have no idea what this is.

Event Timeline

NDKilla created this task.Mar 8 2019, 03:28
NDKilla added a comment.Mar 8 2019, 03:28

cc @Southparkfan because this apparently has to do with headers and Paladox thinks you may have broken things 🔧

Southparkfan added a comment.EditedMar 8 2019, 10:17

A change in CSP breaking CORS? Nah, that doesn't seem likely, but I'll take a look this weekend.

John assigned this task to Southparkfan.Mar 8 2019, 10:44
Void added a subscriber: Void.Mar 8 2019, 14:05

FWIW, attempting to do CORS requests has never worked (at least not on my end), and I first set up a testing script for it nearly two years ago (but that has to do with the API).

Paladox added a comment.Mar 8 2019, 14:15

Ah ok, @Southparkfan i was wrong then (Per @Void).

Southparkfan closed this task as Resolved.Mar 10 2019, 18:25

This was definitely not CSP. CSP blocks the loading of malicious external resources, though static.miraheze.org is already whitelisted. Also, for a browser to load a resource (regardless whether CSP is enabled or not), the origin site (in this case, <wiki>.miraheze.org) must be in the Access-Control-Allow-Origin header sent by static.miraheze.org.

static.miraheze.org only sets this header (wildcard value, any origin site is allowed) if the requested resource matches this nginx location rule: location ~* .(gif|ico|jpg|jpeg|png|svg)$ - .otf doesn't match that rule thus there the header is not present and the browser will refuse to load the resource.

Wikimedia sets this header for all requests towards upload.wikimedia.org (the equivalent of static.miraheze.org), which might not be preferred for us, since we host more than just wiki's images/videos/etc. However, I see no reason to not allow .otf files to be loaded thus I changed this in this commit.