[FFmpeg-devel] Cross-origin resource error on fate.ffmpeg.org

Michael Niedermayer michaelni at gmx.at
Thu Sep 18 12:47:55 CEST 2014


On Wed, Sep 17, 2014 at 08:49:06PM -0700, Timothy Gu wrote:
> On Sep 17, 2014 8:02 PM, "Michael Niedermayer" <michaelni at gmx.at> wrote:
> >
> > On Wed, Sep 17, 2014 at 07:16:30PM -0700, Daniel Verkamp wrote:
> > > On Wed, Sep 17, 2014 at 12:59 PM, Michael Niedermayer <michaelni at gmx.at>
> wrote:
> > > > On Wed, Sep 17, 2014 at 11:33:32AM -0700, Daniel Verkamp wrote:
> > > >> Hi FFmpeg web folks,
> > > >>
> > > >> When visiting http://fate.ffmpeg.org/ using a browser that enforces
> > > >> CORS[1], loading the FontAwesome icon font causes this error:
> > > >>
> > > >>   Font from origin 'https://ffmpeg.org' has been blocked from loading
> > > >> by Cross-Origin Resource Sharing policy: No
> > > >> 'Access-Control-Allow-Origin' header is present on the requested
> > > >> resource. Origin 'http://fate.ffmpeg.org' is therefore not allowed
> > > >> access.
> > > [...]
> > > >
> > > > as you seem to know this / have researched it already
> > > > can you post what i need to add to httpd.conf to make this work ?
> > >
> > > Something like this (untested) should work:
> > >
> >
> > > <Location /fonts/>
> > >   Header set Access-Control-Allow-Origin "*"
> > > </Location>
> 
> I think only allowing *.ffmpeg.org is safer from a security PoV. I am
> already aware of this problem when I wrote the patch that changed the
> behavior. See
> http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/2014-July/160502.html

iam happy to change it if you provide something better that i can copy
and paste into httpd.conf

Note, http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
says: In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".

also: http://tools.ietf.org/html/rfc6454#section-7.1

   serialized-origin   = scheme "://" host [ ":" port ]
                       ; <scheme>, <host>, <port> from RFC 3986

so i think there needs to be http & https entries at least for all
domains


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I know you won't believe me, but the highest form of Human Excellence is
to question oneself and others. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140918/069e7298/attachment.asc>


More information about the ffmpeg-devel mailing list