Page MenuHomeMiraheze

Cross-Origin requests blocked to
Closed, ResolvedPublic


Attempting to load font files (and probably other resources) from fails with a message logged to browser consoles.

This apparently is broken in IE, Edge, Firefox, and Chrome, although Paladox said Safari worked.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More]

The "Learn More" links here.

Note that apparently CORS != CSP, and I have no idea what this is.

Event Timeline

cc @Southparkfan because this apparently has to do with headers and Paladox thinks you may have broken things ?

A change in CSP breaking CORS? Nah, that doesn't seem likely, but I'll take a look this weekend.

FWIW, attempting to do CORS requests has never worked (at least not on my end), and I first set up a testing script for it nearly two years ago (but that has to do with the API).

This was definitely not CSP. CSP blocks the loading of malicious external resources, though is already whitelisted. Also, for a browser to load a resource (regardless whether CSP is enabled or not), the origin site (in this case, <wiki> must be in the Access-Control-Allow-Origin header sent by only sets this header (wildcard value, any origin site is allowed) if the requested resource matches this nginx location rule: location ~* .(gif|ico|jpg|jpeg|png|svg)$ - .otf doesn't match that rule thus there the header is not present and the browser will refuse to load the resource.

Wikimedia sets this header for all requests towards (the equivalent of, which might not be preferred for us, since we host more than just wiki's images/videos/etc. However, I see no reason to not allow .otf files to be loaded thus I changed this in this commit.