No ‘Access-Control-Allow-Origin’ header is present

  • Resolved Josh Habdas

    (@jhabdas)


    6 years, 10 months ago

    JetPack loads a JS file called devicepx-jetpack.js from s0.wp.com but does not provide the Access-Control-Allow-Origin: * header in the response. Not allowing cross-origin request prevents assets from being loaded via Ajax, a common technique for improving site performance and UX.

    Is there a reason JetPack does not provide CORS headers for assets? If not, could the Access-Control-Allow-Origin: * header be provided?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    6 years, 10 months ago

    It’s just a javascript file. It’s not making cross-origin requests. It doesn’t make any XMLHTTPRequest calls. The presence or lack of an “Access-Control-Allow-Origin” header in that context is completely irrelevant if it’s not making any cross-site requests. It won’t improve or degrade performance in any way to have it present or not, when it’s not doing anything that would be affected by that header.

    Specifically, that file adjusts sizing on certain types of images to make them more friendly with high-dpi screens. Since it’s just modifying the DOM and not making any external requests, it really doesn’t matter what the headers are for it.

    Thread Starter Josh Habdas

    (@jhabdas)

    6 years, 10 months ago

    Thanks for the info and context, Samuel. Super helpful. The reason I ask is because if it were loaded asynchronously (e.g. via script loader) and deferred until the page readyState === 'interactive' the script could be preloaded as the DOM starts streaming in and parsing, rather than waiting.

    Async loading would have the benefit of removing the blocking request to an external resource currently being made and improve UX by eliminating a SPOF (in the Steve Souders sense of the word) for all JetPack users.

    • This reply was modified 6 years, 10 months ago by Josh Habdas.
    Thread Starter Josh Habdas

    (@jhabdas)

    6 years, 10 months ago

    Given this issue was resolved without a solution to the problem presented I’ll look for a workaround. I’m thinking an iFrame embed to circumvent the SOP is going to be the best approach for external resources not providing CORS headers. Kind of like how embeds work in Core. Thanks again for your help.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘No ‘Access-Control-Allow-Origin’ header is present’ is closed to new replies.