Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[serving feature] Support Cross Origin Resource Policy for hosted js script

See original GitHub issue

In order to be able to use the iconify script with the <script> tag and with Cross Origin Embedder Policy enabled (good security practice), the iconify server would be required to respond with the Cross Origin Resource Policy set to ‘cross-origin’.

Is it something doable on your side?

Issue Analytics

State:
Created 2 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

2reactions

cyberaliencommented, Mar 20, 2022

Tested differences with and without header. It does fix issue and doesn’t break anything for users that do not use cross-origin headers. Added headers to code.iconify.design.

It will take a while to add them to API because there are many servers. Each of them needs to be temporarily taken out of network to update nginx config and I want to start with server in Frankfurt that is closest to me so I could see changes immediately, which should be done early in the morning when traffic is lowest. So I’ll start working on that tomorrow.

1reaction

userquincommented, Mar 20, 2022

@cyberalien @qortex using popular cdn returning this headers (last 3 not required: for example google fonts send them):

access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
access-control-expose-headers: *
cross-origin-opener-policy: same-origin-allow-popups
timing-allow-origin: *

Check headers for these urls:

I have had problems using some cdn with pwa and opaque resources: with previous headers the problem disappear (some crossorigin="anonymous" attr required).