[wp-meta] [Making WordPress.org] #5477: Add CORS headers for responses from s.w.org
Making WordPress.org
noreply at wordpress.org
Fri Oct 16 20:05:33 UTC 2020
#5477: Add CORS headers for responses from s.w.org
-------------------------+--------------------
Reporter: westonruter | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: General | Keywords:
-------------------------+--------------------
I'm working on the [https://github.com/GoogleChromeLabs/pwa-wp PWA plugin]
to [https://github.com/GoogleChromeLabs/pwa-wp/pull/338 enable offline
browsing] for previously-visited pages. In order to ensure that pages are
available offline, I'm adding a network-first caching strategy for:
* navigation requests
* theme assets
* plugin assets
* uploaded images
* core assets
I've come up against an issue specifically with the core assets,
specifically as it relates to core pulling in images from `s.w.org`:
namely Twemoji.
The issue is that responses from `s.w.org` do not include CORS headers.
{{{
$ curl -I https://s.w.org/images/core/emoji/13.0.0/svg/1f6e0.svg
HTTP/2 200
server: nginx
date: Fri, 16 Oct 2020 19:56:50 GMT
content-type: image/svg+xml
content-length: 1020
vary: Accept-Encoding
last-modified: Mon, 15 Jun 2020 17:45:48 GMT
x-frame-options: SAMEORIGIN
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
x-nc: HIT sea 2
x-content-type-options: nosniff
accept-ranges: bytes
}}}
By lacking `Access-Control-Allow-Origin: *`, programmatic fetches to grab
images from the CDN such as by a service worker or via a `fetch()` in the
block editor will not be able to read from the response body. They will be
"opaque" responses. When opaque responses are stored using the Cache API,
they get assigned random sizes to guard against information leakage. See
https://stackoverflow.com/a/39109790/93579
Please add `Access-Control-Allow-Origin: *` to responses from `s.w.org`.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5477>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list