On Sat, Aug 15, 2015 at 01:00:38AM -0700, Gergo Tisza wrote:
That does not sound like a big deal since we are loading most Javascript files from our own servers, and can fully control what headers are set, but we ran into occasional problems in the past when using CORS (MediaViewer uses CORS-enabled image loading to get access to certain performance statistics): some people use proxies or firewalls which strip CORS headers from the responses as some sort of misguided security effort, causing the request to fail. We wanted to know how many users would be affected by this if we loaded ResourceLoader scripts via CORS.
For Wikimedia sites, it is now impossible for proxies or firewalls to strip headers, after the switch to HTTPS-only. Was this analysis done before or during the HTTPS-only migration?
Faidon