Closed codefrau closed 6 years ago
Maybe it did work at some point, but right now, the server does not send CORS headers.
This is Chrome's error message in SqueakJS: Failed to load http://files.squeak.org/5.1/Squeak5.1-16549-32bit/Squeak5.1-16549-32bit.zip: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.
And these are the headers I see:
$ whead http://files.squeak.org/5.1/Squeak5.1-16549-32bit/Squeak5.1-16549-32bit.zip
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Fri, 17 Nov 2017 12:58:20 GMT
Content-Type: application/zip
Content-Length: 16215793
Last-Modified: Mon, 26 Sep 2016 09:25:23 GMT
Connection: keep-alive
ETag: "57e8e983-f76ef1"
X-Clacks-Overhead: GNU Terry Pratchett
Accept-Ranges: bytes
If this and #11 get fixed I could again directly link files from SqueakJS, which would be awesome :)
This worked:
curl -H "Origin: http://try.squeak.org" -I http://files.squeak.org/5.1/Squeak5.1-16550-32bit/Squeak5.1-16550-32bit.zip
But this didnt:
curl -H "Origin: http://try.squeak.org/" -I http://files.squeak.org/5.1/Squeak5.1-16550-32bit/Squeak5.1-16550-32bit.zip
Fixed the regex. (note: you need the origin...)
It does not seem to work for localhost
or for squeak.js.org
. Does it have a very special list of allowed origins?
jep: *.squeak.org
location / {
#enable CORS from *.squeak.org
if ($http_origin ~ ^https?://([^/]+\.)?squeak\.org) { #hopefully this if won't affect try_files
add_header 'Access-Control-Allow-Origin' '*';
#See https://stackoverflow.com/questions/21104810/what-could-explain-the-browser-intermittently-not-loading-some-cors-crossorigin
#why the value is * instead of #http_origin
}
try_files $uri @autoindex;
I just changed it to allow more than just the root path. (I think @nicolas-cellier-aka-nice put it in there, but I'm not sure)
Hi Tobias, its beyond my expertise and I think I'm not a contributor https://github.com/squeak-smalltalk/squeak.org/graphs/contributors
Hi Nicolas, that was just a guess. I also talked about the server/nginx configuration, nothing here on github. And yes, checking the admin-log yields that it was levente who helped with CORS.
@bertfreudenberg do we need other hosts than *.squeak.org?
@krono Yes. At the very least localhost
(for debugging) and squeak.js.org
. But why not unconditionally allow it? Why do we need to restrict it to certain origins?
Dunno, Levente did that, most probably for good reasons. nevertheless, I included both. please try again.
Works for localhost
and once we have HTTPS (#11) I'm sure it will work for squeak.js.org
, too. Thanks!
'k
Particularly on
files.squeak.org
andbuild.squeak.org
.