19236 2012-10-03 00:17:03 +0000 Enable CORS on entire site 2012-10-04 00:23:17 +0000 1 1 1 Unclassified webplatform.org infrastructure unspecified PC All NEW P2 normal --- 1 ericbidelman schepers paul.irish rlane32 team-webplatform-admin public-webplatform-bugs oldest_to_newest 75171 0 ericbidelman 2012-10-03 00:17:03 +0000 http://enable-cors.org! I've heard a ton of interest from developers that want to integrate IDEs, tools, widgets, etc. with the web docs. webplatform's goal is to the be canonical docs for the web, we should allow people to access them any way they see fit. 75178 1 paul.irish 2012-10-03 01:02:20 +0000 Not sure if we serve on apache but this should do it.. <IfModule mod_headers.c> Header set Access-Control-Allow-Origin "*" </IfModule> 75183 2 rlane32 2012-10-03 01:15:36 +0000 I worry about enabling this via apache for every request... We can do it via filematch (which we just did for fonts), and can do it for MediaWiki's api using this: http://www.mediawiki.org/wiki/Manual:$wgCrossSiteAJAXdomains I just enabled that as well. 75187 3 ericbidelman 2012-10-03 01:37:28 +0000 There's info on security here: http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity ...there can be a perf overhead with the preflight request, but that it minimal. Is it possible to open it up to only /wiki/tutorial pages for starters? Also, if we go the route of whitelisting domains, how can folks add/suggest new ones? 75260 4 ericbidelman 2012-10-03 21:50:10 +0000 More info here: http://monsur.hossa.in/2012/09/07/thoughts-on-the-cors-preflight-cache.html Monsur has done experiments with CORS. He says: "serving the header should not be costly at all i mean, you are adding, what, 30 bytes per request" The worry is that you open up an "API" for folks to use. However, there's also nothing top stop folks from iframing in our pages and creating extra load on the server. If the server load is worry, has there been any thought in allowing folks to request as page as JSON?...and only enable the CORs headers for those types of requests? 75261 5 ericbidelman 2012-10-03 21:57:29 +0000 More info from Monsur: "honestly, i don't see it as being a big perf hit as long as devs play within the rules.. besides, if a dev is being malicious, they can find better ways that cors to do it (e.g. just write a script to hit the front page over and over)" At the very least, I'd like us to consider setting up a form or page where users can suggestion their domain if we go the whitelisting route. 75281 6 ericbidelman 2012-10-04 00:23:17 +0000 Just found out that GET requests without simple headers (http://www.w3.org/TR/cors/#simple-header) don't incur preflight requests.