We have sites (spins.fp.o, namely) which include webfonts from fp.o.
These includes are getting blocked because they are on a different (sub)domain. I would like to enable CORS headers for webfonts so that we can include them on other sites. The alternative is copying the css and fonts over to spins.fp.o directly but then we have multiple places to update the css every time we change it, which seems bad.
I tested this patch locally and it works as expected.
+1's?
commit 694cc14b4abe38bcaeae9deb13125b3aaabad7fc Author: Ricky Elrod codeblock@fedoraproject.org Date: Wed Nov 26 21:27:52 2014 +0000
Enable CORS header for webfonts
Signed-off-by: Ricky Elrod codeblock@fedoraproject.org
diff --git a/modules/fedora-web/files/fedora-web.conf b/modules/fedora-web/files/fedora-web.conf index 5ed95aa..a73fdaf 100644 --- a/modules/fedora-web/files/fedora-web.conf +++ b/modules/fedora-web/files/fedora-web.conf @@ -14,6 +14,10 @@ AddEncoding gzip .svgz </IfModule> </FilesMatch>
+<FilesMatch -webfont> + Header set Access-Control-Allow-Origin "*" +</FilesMatch> + <Location /static/checksums/> Options Indexes </Location>
On Wed, Nov 26, 2014 at 04:41:50PM -0500, Ricky Elrod wrote:
We have sites (spins.fp.o, namely) which include webfonts from fp.o.
These includes are getting blocked because they are on a different (sub)domain. I would like to enable CORS headers for webfonts so that we can include them on other sites. The alternative is copying the css and fonts over to spins.fp.o directly but then we have multiple places to update the css every time we change it, which seems bad.
I tested this patch locally and it works as expected.
+1's?
commit 694cc14b4abe38bcaeae9deb13125b3aaabad7fc Author: Ricky Elrod codeblock@fedoraproject.org Date: Wed Nov 26 21:27:52 2014 +0000
Enable CORS header for webfonts Signed-off-by: Ricky Elrod <codeblock@fedoraproject.org>
diff --git a/modules/fedora-web/files/fedora-web.conf b/modules/fedora-web/files/fedora-web.conf index 5ed95aa..a73fdaf 100644 --- a/modules/fedora-web/files/fedora-web.conf +++ b/modules/fedora-web/files/fedora-web.conf @@ -14,6 +14,10 @@ AddEncoding gzip .svgz
</IfModule> </FilesMatch>
+<FilesMatch -webfont>
- Header set Access-Control-Allow-Origin "*"
+</FilesMatch>
Just out of curiosity, can we be a little more specific than "*" ?
If not, then +1 for me.
Pierre
Yeah, +1 here too, but I echo pingou's query about making it more specific if we can do that. ;)
kevin
We can try something like this, which seems to work locally, but I've never used it before.
Of course, someone could register "ireallylovethefedoraproject.org" or even set up "i.love.the.fedoraproject.org.mydomain.com" and they'd still be able to hotlink to our fonts. I'm not sure how much of a conern that really is, though. Or we could list every possible site we run that might ever include the fonts, but that seems like it could get annoying too.
commit db81a1e1353d67adbe9a2aff76968a9ae9407708 Author: Ricky Elrod codeblock@fedoraproject.org Date: Wed Nov 26 21:27:52 2014 +0000
Enable CORS header for webfonts
Signed-off-by: Ricky Elrod codeblock@fedoraproject.org
diff --git a/modules/fedora-web/files/fedora-web.conf b/modules/fedora-web/files/fedora-web.conf index 5ed95aa..647dd02 100644 --- a/modules/fedora-web/files/fedora-web.conf +++ b/modules/fedora-web/files/fedora-web.conf @@ -14,6 +14,11 @@ AddEncoding gzip .svgz </IfModule> </FilesMatch>
+<FilesMatch -webfont> + SetEnvIfNoCase Origin "https?://.*.fedora(project|people|hosted).org.*" ACAO=$0 + Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO +</FilesMatch> + <Location /static/checksums/> Options Indexes </Location>
On 11/26/2014 05:30 PM, Kevin Fenzi wrote:
Yeah, +1 here too, but I echo pingou's query about making it more specific if we can do that. ;)
kevin
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Actually I guess we could nuke the trailing .* in that last patch after the ".org" which eliminates the "i.love.fedoraproject.org.mydomain.com" concern, but the "ilovethefedoraproject.org" issue is still there. Again, not really sure how much of a big concern this is.
-Ricky
On 11/26/2014 05:30 PM, Kevin Fenzi wrote:
Yeah, +1 here too, but I echo pingou's query about making it more specific if we can do that. ;)
kevin
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
On second thought/re-read, the required "." before the "fedoraproject.org" in the regex would prevent the "ilovethefedoraproject.org" issue. So this seems reasonable I think, with the trailing .* removed.
New +1's?
On 11/26/2014 06:18 PM, Ricky Elrod wrote:
Actually I guess we could nuke the trailing .* in that last patch after the ".org" which eliminates the "i.love.fedoraproject.org.mydomain.com" concern, but the "ilovethefedoraproject.org" issue is still there. Again, not really sure how much of a big concern this is.
-Ricky
On 11/26/2014 05:30 PM, Kevin Fenzi wrote:
Yeah, +1 here too, but I echo pingou's query about making it more specific if we can do that. ;)
kevin
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
On Thu, Nov 27, 2014 at 02:20:50AM -0500, Ricky Elrod wrote:
On second thought/re-read, the required "." before the "fedoraproject.org" in the regex would prevent the "ilovethefedoraproject.org" issue. So this seems reasonable I think, with the trailing .* removed.
New +1's?
Still +1 for me :)
Pierre
On 11/26/2014 06:18 PM, Ricky Elrod wrote:
Actually I guess we could nuke the trailing .* in that last patch after the ".org" which eliminates the "i.love.fedoraproject.org.mydomain.com" concern, but the "ilovethefedoraproject.org" issue is still there. Again, not really sure how much of a big concern this is.
-Ricky
On 11/26/2014 05:30 PM, Kevin Fenzi wrote:
Yeah, +1 here too, but I echo pingou's query about making it more specific if we can do that. ;)
kevin
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
On Thu, 27 Nov 2014 08:41:35 +0100 Pierre-Yves Chibon pingou@pingoured.fr wrote:
On Thu, Nov 27, 2014 at 02:20:50AM -0500, Ricky Elrod wrote:
On second thought/re-read, the required "." before the "fedoraproject.org" in the regex would prevent the "ilovethefedoraproject.org" issue. So this seems reasonable I think, with the trailing .* removed.
New +1's?
Still +1 for me :)
+1 here still.
kevin
infrastructure@lists.fedoraproject.org