Making WordPress.org

Opened 4 years ago

Closed 7 months ago

#5477 closed enhancement (fixed)

Add CORS headers for responses from s.w.org

Reported by: westonruter's profile westonruter Owned by:
Milestone: Priority: normal
Component: General Keywords:
Cc:

Description

I'm working on the PWA plugin to enable offline browsing for previously-visited pages. In order to ensure that pages are available offline, I'm adding a network-first caching strategy for:

  • navigation requests
  • theme assets
  • plugin assets
  • uploaded images
  • core assets

I've come up against an issue specifically with the core assets, specifically as it relates to core pulling in images from s.w.org: namely Twemoji.

The issue is that responses from s.w.org do not include CORS headers.

$ curl -I https://s.w.org/images/core/emoji/13.0.0/svg/1f6e0.svg
HTTP/2 200
server: nginx
date: Fri, 16 Oct 2020 19:56:50 GMT
content-type: image/svg+xml
content-length: 1020
vary: Accept-Encoding
last-modified: Mon, 15 Jun 2020 17:45:48 GMT
x-frame-options: SAMEORIGIN
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
x-nc: HIT sea 2
x-content-type-options: nosniff
accept-ranges: bytes

By lacking Access-Control-Allow-Origin: *, programmatic fetches to grab images from the CDN such as by a service worker or via a fetch() in the block editor will not be able to read from the response body. They will be "opaque" responses. When opaque responses are stored using the Cache API, they get assigned random sizes to guard against information leakage. See https://stackoverflow.com/a/39109790/93579

Please add Access-Control-Allow-Origin: * to responses from s.w.org.

Change History (1)

#1 @coffee2code
7 months ago

  • Resolution set to fixed
  • Status changed from new to closed

Closing as fixed since this has since been implemented:

❯  curl -I https://s.w.org/images/core/emoji/13.0.0/svg/1f6e0.svg
HTTP/2 200
server: nginx
date: Tue, 24 Oct 2023 18:28:20 GMT
content-type: image/svg+xml
content-length: 1020
last-modified: Mon, 15 Jun 2020 17:45:48 GMT
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
x-nc: MISS den 2
x-content-type-options: nosniff
accept-ranges: bytes
Note: See TracTickets for help on using tickets.