On Sat, Aug 15, 2015 at 01:00:38AM -0700, Gergo Tisza wrote:
That does not sound like a big deal since we are
loading most Javascript
files from our own servers, and can fully control what headers are set, but
we ran into occasional problems in the past when using CORS (MediaViewer
uses CORS-enabled image loading to get access to certain performance
statistics): some people use proxies or firewalls which strip CORS headers
from the responses as some sort of misguided security effort, causing the
request to fail. We wanted to know how many users would be affected by this
if we loaded ResourceLoader scripts via CORS.
For Wikimedia sites, it is now impossible for proxies or firewalls to
strip headers, after the switch to HTTPS-only. Was this analysis done
before or during the HTTPS-only migration?
Faidon