Closed Bug 703566 Opened 13 years ago Closed 13 years ago

Add CORS headers to http://videos-cdn.mozilla.net

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: paul, Unassigned)

References

Details

Videos from videos-cdn.mozilla.net are loaded in the "360 Video" demo: https://developer.mozilla.org/en-US/demos/detail/360-video We need to CDN to add CORS headers to allow the WebGL code to read the content of the video. See: https://developer.mozilla.org/en/WebGL/Cross-Domain_Textures
Blocks: 703204
This would also be helpful for the Popcorn Maker team, as the default video is loaded from video-cdn.mozilla.net.
Blocks: 676913
bjacob landed my fix for enabling crossorigin videos in Nightly in bug 682299. How can we get the videos-cdn.mozilla.net server to send the "Access-Control-Allow-Origin: *" header?
Depends on: 682299
Assignee: nobody → server-ops
Component: Other → Server Operations
Product: Websites → mozilla.org
QA Contact: other → cshields
Version: unspecified → other
If I read the specs for this header properly, you can't really send 2 domains in the Access-Control-Allow-Origin header. In this particular situation, we cannot feasibly detect and send just the proper header (based on the request 'Origin' header) because that would require the CDN to support dynamic processing, or to destroy caching and call back to us for everything... so that's a non-starter. That means to make this work we'd need to send: Access-Control-Allow-Origin: * I think we can specify that on our CDN seed server(s) and it should cache and serve up that header... may need a cache flush on the CDN to pick up the change. Adding a couple Infrasec folks for a sign-off on doing this, as I'm not sure what the implications of this would be. I suspect it's fine, but want a more authoritative opinion.
Component: Server Operations → Server Operations: Web Operations
OS: Linux → All
Hardware: x86_64 → All
(In reply to Jake Maul [:jakem] from comment #3) > If I read the specs for this header properly, you can't really send 2 > domains in the Access-Control-Allow-Origin header. > > In this particular situation, we cannot feasibly detect and send just the > proper header (based on the request 'Origin' header) because that would > require the CDN to support dynamic processing, or to destroy caching and > call back to us for everything... so that's a non-starter. > > That means to make this work we'd need to send: > > Access-Control-Allow-Origin: * Yes, that's called anonymous CORS and is likely what you want for such non-confidential data.
Yeah, I'm assuming that the videos CDN doesn't have any confidential data, which is why * is okay. I'd also like * because that means we can use videos on the CDN for Popcorn Maker's default template videos, wherever Popcorn Maker is hosted from (localhost for developers, mozillapopcorn.org for everyone else).
Access-Control-Allow-Origin can only be a wildcard value in the following scenarios: - No sensitive data collected or available at the domain - No login supported at the domain If the above two items are true then this is ok.
The site is purely a content drop (not even html, just .webm and similar media files) with no auth, so both conditions are met. I will see about having our servers set this header.
This should be operational now. I've added the header and purged the CDN's cache, and on a test of one particular file it did seem to propagate the header.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.