Allow CORS for raw content on git.drupalcode.org

Created on 28 September 2024, 7 months ago

Problem/Motivation

GitHub allows CORS for raw content, which means you can make fetch requests to their raw.githubusercontent.com domain without needing to modify headers.

Example - https://raw.githubusercontent.com/eleonel/Convivial-Profiler/1.0.x/convi...

The same asset hosted on the git.drupalcode.org is failing due to CORS

$ curl --head https://git.drupalcode.org/project/convivial_profiler/-/raw/1.0.x/convivial_profiler.profiler_source.yml
HTTP/2 200 
server: nginx
content-type: text/plain; charset=utf-8
content-disposition: inline
content-security-policy: 
etag: "74350513dc8dc7abb7700b5e9d3e2b4b"
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-gitlab-meta: {"correlation_id":"01J8W9BED6ER4MW3254138NQF7","version":"1"}
x-permitted-cross-domain-policies: none
x-runtime: 0.051661
x-ua-compatible: IE=edge
x-xss-protection: 1; mode=block
referrer-policy: strict-origin-when-cross-origin
via: 1.1 varnish, 1.1 varnish
cache-control: public, max-age=600
accept-ranges: bytes
age: 0
date: Sat, 28 Sep 2024 12:23:09 GMT
x-served-by: cache-bfi-kbfi7400056-BFI, cache-syd10149-SYD
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1727526189.394287,VS0,VE228
vary: Accept-Encoding, Accept
x-request-id: 1902042180
x-time-elapsed: 0.228
permissions-policy: interest-cohort=()
strict-transport-security: max-age=900
content-length: 2187

$ curl --head https://raw.githubusercontent.com/eleonel/Convivial-Profiler/1.0.x/convivial_profiler.profiler_source.yml
HTTP/2 200 
cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: text/plain; charset=utf-8
etag: "37fa01e0761021ceedae635ad6ea19c99c7cab72b4f4c1322c1097843ea8b0fc"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: 85D1:2922D2:19A982:203BB0:66F7F53E
accept-ranges: bytes
date: Sat, 28 Sep 2024 12:23:27 GMT
via: 1.1 varnish
x-served-by: cache-adl2040023-ADL
x-cache: MISS
x-cache-hits: 0
x-timer: S1727526207.657041,VS0,VE379
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: d754abdc4ad1b730958ff5112fef8a9ef9d3bb29
expires: Sat, 28 Sep 2024 12:28:27 GMT
source-age: 0
content-length: 2187

Steps to reproduce

Proposed resolution

The best solution is to configure the server (in this case, git.drupalcode.org) to allow cross-origin requests. This can be done by modifying the server's CORS policy to include the correct Access-Control-Allow-Origin header. However, since you don't control this server, this may not be an option.

Remaining tasks

User interface changes

API changes

Data model changes

💬 Support request

Status

Active

Version

1.0

Component

Code

Created by

naveenvalecha

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @naveenvalecha
Comment 7 months ago →
naveenvalecha
Comment 7 months ago →
🇮🇹Italy apaderno Brescia, 🇮🇹
However, since you don't control this server, this may not be an option.

git.drupalcode.org is a domain controlled by the infrastructure team, in the same way drupal.org is.
Comment 7 months ago →
naveenvalecha
git.drupalcode.org is a domain controlled by the infrastructure team, in the same way drupal.org is.

Updated the issue summary based on #3
Comment 6 months ago →
naveenvalecha

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024