Closed Bug 949465 Opened 11 years ago Closed 10 years ago

Enable CORS (or JSONP) site-wide, but also respect more specific htaccess files

Categories

(developer.mozilla.org Graveyard :: General, defect)

Product:
developer.mozilla.org Graveyard
Component:
General
Platform:
All
Other
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kaze, Unassigned)

References

Details

(Whiteboard: [specification][type:feature][dev-papercut]) 

What problems would this solve?
===============================
IDEs and advanced text editors could use this to have direct access to the best available documentation: click on a keyword in an HTML, CSS or JS file, press F1, get the documentation.

Who would use this?
===================
Web developers. All of them. :-)

What would users see?
=====================
No UI change on MDN.

What would users do? What would happen as a result?
===================================================
As users could access this documentation transparently, they would use it a lot more and we could expect to get more contributions.

Is there anything else we should know?
======================================
Wikipedia allows such an access and it’s pretty neat; I think it makes even more sense for MDN than for wikipedia.
Vote! MDN devs implement features based on number of votes :-)
I believe we have this already:

    https://developer.mozilla.org/en-US/docs/Project:MDN/Kuma/API

You can access the raw HTML of a doc page, even a specific section, and it serves up an ACAO: * header

curl -ksi -X'HEAD' 'https://developer.mozilla.org/en-US/docs/Web/Guide/HTML/HTML5?raw&macros&section=Semantics'
HTTP/1.1 200 OK
Server: Apache
Vary: Cookie, Accept-Encoding
X-Backend-Server: developer2.webapp.scl3.mozilla.com
Content-Type: text/html; charset=utf-8
Date: Thu, 12 Dec 2013 15:34:57 GMT
x-kuma-revision: 495301
Transfer-Encoding: chunked
Access-Control-Allow-Origin: *
ETag: "ec3c6939ea4e5f1e6a2d60a2b662a10a017732af"
X-Robots-Tag: noindex
Connection: Keep-Alive
X-Frame-Options: Allow
Last-Modified: Tue, 03 Dec 2013 06:16:42 GMT
X-Cache-Info: caching

Does that work for you?
FWIW, this is an old & partially broken pinboard / MDN mashup I did a few months ago:

http://dl.dropboxusercontent.com/u/2798055/mdn-mash/index.html

The significant part, though, is that it loads up MDN pages I bookmarked on pinboard.in and inserts their summaries into the page. When it worked fully, it would also pull in the content for whichever page you clicked.

I should update that thing and see what's breaking it
@lorchard That's awesome. Unfortunately I tested on some pages that didn't work, like tag list ( https://developer.mozilla.org/en-US/docs/tag/WebAPI for example ). This pages are useful to quickly get a list of all available resources, so if you could enable CORS on it… Thanks !
(In reply to Clochix from comment #4)
> @lorchard That's awesome. Unfortunately I tested on some pages that didn't
> work, like tag list ( https://developer.mozilla.org/en-US/docs/tag/WebAPI
> for example ). This pages are useful to quickly get a list of all available
> resources, so if you could enable CORS on it… Thanks !

Hmm, we do offer some feeds alongside the main API:

    https://developer.mozilla.org/en-US/docs/Project:MDN/Tools/Feeds

So, to get that page with JSONP:

    https://developer.mozilla.org/en-US/docs/feeds/json/tag/WebAPI?callback=foo

But, ideally the feed should also offer an ACAO: * header. So, we can keep this bug open to make that enhancement.

Our intent is to support CORS liberally for all data sources on MDN - so wherever that's missing, it's a bug!
Severity: normal → major
Whiteboard: [specification][type:feature] → [specification][type:feature][dev-papercut]
Thanks for marking this as major, Maris.

Optimizely trackEvent calls are currently failing because the ACAO header is not being served on some pages. We set ACAO in our htaccess file [1] but it does appear to affect all pages. We thought the load balancer could be at fault, but this happens even locally.

Are there any reservations against enabling CORS everywhere? If this is the goal, I can update the title accordingly.

[1] https://github.com/mozilla/kuma/blob/master/configs/htaccess#L78-81
s/but it does appear/but it does not appear
The only concern we ever have about CORS site-wide is if sites hot-link fonts for which we don't have rights to redistribute.

So, if we fix this site-wide via the root htaccess, we need to verify that the directory-level .htaccess [1] is still blocking CORS requests for those fonts.

[1] https://github.com/mozilla/kuma/blob/master/media/fonts/.htaccess
Summary: Enable CORS (or JSONP) on MDN → Enable CORS (or JSONP) site-wide, but also respect more specific htaccess files
Quick update to comment 7:

> We thought the load balancer could be at fault, but this happens even
> locally.

While ACAO headers are served on some production pages (see comment 2), they are not served on /any/ Vagrant-hosted pages. So I was incorrect in comment 7. ACAO headers are not served locally, true, but that seems to be for a different reason.
Depends on: 1043604
We're working with WebOps to address this in bug 1043604. Everyone here is free to add comments on the proposal from WebOps.
Blocks: 1043604
No longer depends on: 1043604
No longer blocks: 1043604
Depends on: 1043604
Done with 1043604
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.