Opened 3 years ago
#5477 new enhancement
Add CORS headers for responses from s.w.org
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Component: | General | Keywords: | |
| Cc: |
Description
I'm working on the PWA plugin to enable offline browsing for previously-visited pages. In order to ensure that pages are available offline, I'm adding a network-first caching strategy for:
- navigation requests
- theme assets
- plugin assets
- uploaded images
- core assets
I've come up against an issue specifically with the core assets, specifically as it relates to core pulling in images from s.w.org: namely Twemoji.
The issue is that responses from s.w.org do not include CORS headers.
$ curl -I https://s.w.org/images/core/emoji/13.0.0/svg/1f6e0.svg HTTP/2 200 server: nginx date: Fri, 16 Oct 2020 19:56:50 GMT content-type: image/svg+xml content-length: 1020 vary: Accept-Encoding last-modified: Mon, 15 Jun 2020 17:45:48 GMT x-frame-options: SAMEORIGIN expires: Thu, 31 Dec 2037 23:55:55 GMT cache-control: max-age=315360000 x-nc: HIT sea 2 x-content-type-options: nosniff accept-ranges: bytes
By lacking Access-Control-Allow-Origin: *, programmatic fetches to grab images from the CDN such as by a service worker or via a fetch() in the block editor will not be able to read from the response body. They will be "opaque" responses. When opaque responses are stored using the Cache API, they get assigned random sizes to guard against information leakage. See https://stackoverflow.com/a/39109790/93579
Please add Access-Control-Allow-Origin: * to responses from s.w.org.