Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CORS/404 mega-issue: Responses lack access-control-allow-origin occasionally due to 404 #13165

Closed
urakagi opened this issue Dec 22, 2018 · 111 comments

Comments

@urakagi
Copy link

commented Dec 22, 2018

Hello, from today I found that when accessing cdnjs, the server will respond 404 or the response header will lack access-control-allow-origin: * header.
For example, my web app just made a request to https://cdnjs.cloudflare.com/ajax/libs/spin.js/2.3.2/spin.min.js, then get the response header under:

cache-control    public, max-age=14400
cf-cache-status    HIT
cf-ray    48d1a6325e2245ae-TPE
content-encoding    br
content-type    text/html
date    Sat, 22 Dec 2018 09:44:19 GMT
expect-ct    max-age=604800, report-uri="ht….com/cdn-cgi/beacon/expect-ct"
expires    Sat, 22 Dec 2018 13:44:19 GMT
served-in-seconds    0.000
server    cloudflare
strict-transport-security    max-age=15780000; includeSubDomains
vary    Accept-Encoding
X-Firefox-Spdy    h2

Since it lacks access-control-allow-origin: * header, the script is not loaded and my web app is broken.

Problematic files are quite random, when I access the same file in a different time it's sometimes good and sometimes bad. Also, it seems like depending on client's network, the frequency also differs.

On my mobile network this issue never happens, but in my company, it happens frequently, and in a VM it's 100%. (Always some URLs are broken)

Is there some maintenance or server issue affecting particular routes or? Thank you very much!

@khairahmanplus

This comment has been minimized.

Copy link

commented Dec 22, 2018

I have the same issue. My web application is broken.
screenshot 2018-12-22 at 7 40 56 pm

@chinkung

This comment has been minimized.

Copy link

commented Dec 22, 2018

I got the same issue during development for sometime, it seems random

Access to script at 'https://cdnjs.cloudflare.com/ajax/libs/photoswipe/4.1.2/photoswipe.min.js' from origin 'http://localhost' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
@ScottHelme

This comment has been minimized.

Copy link

commented Dec 22, 2018

I've also started to see the same thing and am getting no ACAO header on assets served by cndjs.

It seems to only be affecting my local dev environment but everything is busted right now.

@benguild

This comment has been minimized.

Copy link

commented Dec 22, 2018

I'm also having this issue, and it's triggering random JS errors coming back via Sentry. Furthermore, I personally just encountered it in the browser myself on my personal site.

2018-12-22 12 29 51

@ThomasTJdev

This comment has been minimized.

Copy link

commented Dec 22, 2018

Confirmed. There's no consistency in the files there are blocked, e.g. sometimes codemirror other times jQuery.

Edit
2 minutes ago everything worked as expected, but problem has returned.

Access to CSS stylesheet at 'https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.39.2/theme/monokai.min.css' from origin 'https://mydomain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
# Other times
Access to script at 'https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.37.0/codemirror.min.js' from origin 'https://mydomain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
@dbartenstein

This comment has been minimized.

Copy link

commented Dec 22, 2018

I can confirm that we experience the same issue!

[Error] Origin xxx is not allowed by Access-Control-Allow-Origin.
[Error] Failed to load resource: Origin xxx is not allowed by Access-Control-Allow-Origin. (leaflet.css, line 0)

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Dec 22, 2018

@MattIPv4 MattIPv4 changed the title Responses lack access-control-allow-origin occasionally CORS mega-issue: Responses lack access-control-allow-origin occasionally Dec 22, 2018

@MattIPv4 MattIPv4 pinned this issue Dec 22, 2018

@PeterDaveHello

This comment has been minimized.

Copy link
Member

commented Dec 22, 2018

@MattIPv4 I can do nothing about this, maybe ping @ryankirkman

@SlvrEagle23

This comment has been minimized.

Copy link

commented Dec 23, 2018

I'm experiencing the issue intermittently with several libraries that my project is dependent on:

https://cdnjs.cloudflare.com/ajax/libs/moment-timezone/0.5.21/moment-timezone-with-data.min.js

Access to script at 'https://cdnjs.cloudflare.com/ajax/libs/moment-timezone/0.5.21/moment-timezone-with-data.min.js' from origin 'http://docker.local' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

https://cdnjs.cloudflare.com/ajax/libs/mouse0270-bootstrap-notify/3.1.7/bootstrap-notify.min.js

Access to script at 'https://cdnjs.cloudflare.com/ajax/libs/mouse0270-bootstrap-notify/3.1.7/bootstrap-notify.min.js' from origin 'http://docker.local' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

https://cdnjs.cloudflare.com/ajax/libs/proj4js/2.4.4/proj4.js

Access to script at 'https://cdnjs.cloudflare.com/ajax/libs/proj4js/2.4.4/proj4.js' from origin 'http://docker.local' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Because the errors with these scripts tend to halt script execution on the pages, these errors have rendered large sections of my web app nonfunctional for several thousand installed instances of my FOSS application. The only way I could resolve the issue would be to distribute an update that refers to a different location, and this depends heavily on everyone affected updating in a timely fashion.

I know this service is a free one and I am immensely grateful to those who provide it, but the timing and duration of this issue has been really unfortunate and has done a lot of damage. :(

@MattIPv4 MattIPv4 added the ☢️ Bug label Dec 23, 2018

@nathankurtyka

This comment has been minimized.

Copy link

commented Dec 23, 2018

This issue is affecting our production, internal application (fortunately, our team is on vacation).

This appears to affect my requests 100% of the time (ie. it's very reproducible in our set up). I'd be happy to coordinate directly with anyone so they could do an end-to-end test. nathan@mycnajobs.com

screenshot 2018-12-23 at 12 54 05 pm

@benguild

This comment has been minimized.

Copy link

commented Dec 23, 2018

@nathankurtyka

This comment has been minimized.

Copy link

commented Dec 23, 2018

UPDATE: I have a public URL for which this problem seems to occur 100% of the time. Who could I send this info to? (although it's public, I'd rather not post this URL on a Github issue). But I'm happy to share!

@JamiesonRoberts

This comment has been minimized.

Copy link

commented Dec 23, 2018

The issue is happening to me specifically on webfont loader. Adding it here in hopes to be able to track down the sporadic nature of the issue.

https://cdnjs.cloudflare.com/ajax/libs/webfont/1.6.28/webfontloader.js

@rickmacgillis

This comment has been minimized.

Copy link

commented Dec 23, 2018

Any chance CDNJS can fix this immediately? The OP started this thread yesterday, and it's blocking everyone's sites, thus losing our trust in CDNJS. Just sayin'.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Dec 23, 2018

@rickmacgillis I wish I could say something useful to you here but currently we're all just waiting on @ryankirkman to reply to try and resolve this.

I have also contacted CF direct just in case it is an issue with them but no reply from them yet as it is a Sunday.

@L1ghtn1ng

This comment has been minimized.

Copy link

commented Dec 24, 2018

I am seeing this to on my dev box and I would not be surprised if sites in production are broken as well

@L1ghtn1ng

This comment has been minimized.

Copy link

commented Dec 24, 2018

This seems fixed now as I have got the header every time now, fingers crossed it is permanently, everyone give it a try now and see if it works for you

@urakagi

This comment has been minimized.

Copy link
Author

commented Dec 24, 2018

Still occurs on my VM machine.

@L1ghtn1ng

This comment has been minimized.

Copy link

commented Dec 24, 2018

Might have to wait a bit as it probably is taking a bit to get propagated everywhere but for me in the UK its fixed

@rickmacgillis

This comment has been minimized.

Copy link

commented Dec 24, 2018

Still busted in the US.

@shirish87

This comment has been minimized.

Copy link

commented Dec 24, 2018

FWIW, using curl to fetch the failing URLs results in a 404 if the Origin header is set. Works fine without the origin header.

curl -s -I -X GET 'https://cdnjs.cloudflare.com/ajax/libs/webfont/1.6.28/webfontloader.js' -H 'Origin: http://localhost:11000'
HTTP/2 404 
date: Mon, 24 Dec 2018 02:44:11 GMT
content-type: text/html
served-in-seconds: 0.000
cf-cache-status: HIT
expires: Mon, 24 Dec 2018 06:44:11 GMT
cache-control: public, max-age=14400
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 48dfb98569b3c38d-SIN

EDIT (2018-12-27): It could be that adding/removing/changing the Origin header is simply taking me to a different Cloudflare server that doesn't have the issue. I've seen 404s for files without the Origin header too, so it may not be related. Seems to be a cdnjs-Cloudflare config issue for a certain category.

@jimsug

This comment has been minimized.

Copy link

commented Dec 24, 2018

Hi all,

Just a bump on this post to report that it still occurs occasionally...

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/showdown/1.9.0/showdown.min.js. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More]
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More]
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/datatables/1.10.19/js/jquery.dataTables.min.js. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More]
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/x-editable/1.5.1/bootstrap3-editable/js/bootstrap-editable.min.js. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More]
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.bundle.min.js. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More]

It's occurring across a couple of production deployments, which is somewhat frustrating. As others have noted, I'm keenly aware that this is a service that costs end-users no money, which is why this is a "heads up" and definitely not a complaint or anything :)

@PeterDaveHello

This comment has been minimized.

Copy link
Member

commented Dec 24, 2018

@terinjokes would you please help take a look? Thanks.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 1, 2019

I have asked Simon (Cloudflare) to double check this due to the continued reports of intermittent issues. Hopefully it is just the earlier issue being cached but will keep this thread updated :)

@Fusl

This comment has been minimized.

Copy link

commented Feb 1, 2019

It's also working for me again so I can't provide with request/response headers or HAR.

@nathankurtyka

This comment has been minimized.

Copy link

commented Feb 1, 2019

It's definitely still a problem -- I'm able to reproduce it on mtr.sh. I've attached a HAR generated a few minutes ago.

@MattIPv4 I'm happy to coordinate directly with @simon-says anyone at CF

mtr.sh.zip

@phette23

This comment has been minimized.

Copy link

commented Feb 1, 2019

This is still happening for me with lightGallery.js (just the font files somehow, not CSS or JS files):

Access to font at 'https://cdnjs.cloudflare.com/ajax/libs/lightgallery/1.6.11/fonts/lg.woff?n1z373' from origin 'https://libraries.cca.edu' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
jquery-3.2.1.min.js:4 GET https://cdnjs.cloudflare.com/ajax/libs/lightgallery/1.6.11/fonts/lg.woff?n1z373 net::ERR_FAILED
Access to font at 'https://cdnjs.cloudflare.com/ajax/libs/lightgallery/1.6.11/fonts/lg.ttf?n1z373' from origin 'https://libraries.cca.edu' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
cdnjs.cloudflare.com/ajax/libs/lightgallery/1.6.11/fonts/lg.ttf?n1z373:1 GET https://cdnjs.cloudflare.com/ajax/libs/lightgallery/1.6.11/fonts/lg.ttf?n1z373 net::ERR_FAILED

headers:

> curl -i 'https://cdnjs.cloudflare.com/ajax/libs/lightgallery/1.6.11/fonts/lg.woff?n1z373' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36' -H 'Referer: https://cdnjs.cloudflare.com/ajax/libs/lightgallery/1.6.11/css/lightgallery.min.css' -H 'Origin: https://libraries.cca.edu' --compressed

HTTP/2 404
date: Fri, 01 Feb 2019 21:20:59 GMT
content-type: text/html
content-encoding: gzip
served-in-seconds: 0.001
cf-cache-status: HIT
expires: Sat, 02 Feb 2019 01:20:59 GMT
cache-control: public, max-age=14400
strict-transport-security: max-age=15780000; includeSubDomains
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
server: cloudflare
cf-ray: 4a277711de65282e-SJC

It 404s with that curl but loading the URL in the browser downloads the file.

@madroneropaulo

This comment has been minimized.

Copy link

commented Feb 1, 2019

It's happening also with the unpkg cdn, so for sure it's a CloudFlare issue...

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 1, 2019

@nathankurtyka / @phette23 Thank you for the continued reports, I have passed them onto @simon-says for further investigation. Once again, apologies for this drop in service :/

@PeterDaveHello

This comment has been minimized.

Copy link
Member

commented Feb 1, 2019

@MattIPv4 can you also loop me in? Thanks.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 1, 2019

@PeterDaveHello how best should I do that, I plan to keep all updates posted here. Do you want me to forward the email chain to you?

@PeterDaveHello

This comment has been minimized.

Copy link
Member

commented Feb 1, 2019

@MattIPv4 it'll be great to loop me in that mails, thanks!

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 1, 2019

@PeterDaveHello I don’t actually have an email address for you, what would be best?

You can email me@mattcowley.co.uk if you’d rather it wasn’t public.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 1, 2019

Hey all, good news from Cloudflare!

The issue had resurfaced due to an automatic process on their end reinstating a broken node into the load balancer.

This has now been stopped and so service should be fully restored to cdnjs! Apologies from all of us here at cdnjs for the delay in getting this resolved and for the drop in service.

Have a great weekend making use of cdnjs in all your projects!

@simonmysun

This comment has been minimized.

Copy link

commented Feb 2, 2019

Hi, here's two typical problems of my case:

1

SRI matched but not the resource I need.

Copied from https://cdnjs.com/libraries/stats.js/r17

<script src="https://cdnjs.cloudflare.com/ajax/libs/stats.js/r17/Stats.min.js" integrity="sha256-q9TcRq5RF4QMB+4qpg3wa9mXrOpqAG2RYWxfgA8+Ehc=" crossorigin="anonymous"></script>

Validate SRI:

$ curl 'https://cdnjs.cloudflare.com/ajax/libs/stats.js/r17/Stats.min.js' | openssl dgst -sha256 -binary | openssl base64 -A
q9TcRq5RF4QMB+4qpg3wa9mXrOpqAG2RYWxfgA8+Ehc=

Actual request and response

$ curl -v 'https://cdnjs.cloudflare.com/ajax/libs/stats.js/r17/Stats.min.js'
*   Trying 2606:4700::6813:c697...
* TCP_NODELAY set
* Connected to cdnjs.cloudflare.com (2606:4700::6813:c697) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=ssl412106.cloudflaressl.com
*  start date: Sep 22 00:00:00 2018 GMT
*  expire date: Mar 31 23:59:59 2019 GMT
*  subjectAltName: host "cdnjs.cloudflare.com" matched cert's "*.cloudflare.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563875f5ee40)
> GET /ajax/libs/stats.js/r17/Stats.min.js HTTP/1.1
> Host: cdnjs.cloudflare.com
> User-Agent: curl/7.52.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200 
< date: Sat, 02 Feb 2019 04:13:05 GMT
< content-type: application/javascript
< content-length: 36
< last-modified: Thu, 17 May 2018 09:25:40 GMT
< etag: "5afd4a94-24"
< expires: Thu, 23 Jan 2020 04:13:05 GMT
< cache-control: public, max-age=30672000
< access-control-allow-origin: *
< served-in-seconds: 0.001
< cf-cache-status: MISS
< accept-ranges: bytes
< strict-transport-security: max-age=15780000; includeSubDomains
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 4a29d2bbbab091c4-EWR
< 
* Curl_http_done: called premature == 0
* Connection #0 to host cdnjs.cloudflare.com left intact
// Error: Unexpected token: punc ({)

The response is an error which can match SRI.

2

SRI mismatch

Copied from https://cdnjs.com/libraries/stats.js/r16

<script src="https://cdnjs.cloudflare.com/ajax/libs/stats.js/r16/Stats.min.js" integrity="sha256-eQxIuR9Z5Afu5SFVtoND4dHdHygFRhueTk7mwkINjro=" crossorigin="anonymous"></script>

Validate SRI:

$ curl 'https://cdnjs.cloudflare.com/ajax/libs/stats.js/r16/Stats.min.js' | openssl dgst -sha256 -binary | openssl base64 -A
jjcMJmdStYZdcYCmY6gC1qkG7+Ff+mr9KaC/dq7qjp8=

Actual request and response

$ curl -v 'https://cdnjs.cloudflare.com/ajax/libs/stats.js/r16/Stats.min.js'
*   Trying 2606:4700::6813:c397...
* TCP_NODELAY set
* Connected to cdnjs.cloudflare.com (2606:4700::6813:c397) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=ssl412106.cloudflaressl.com
*  start date: Sep 22 00:00:00 2018 GMT
*  expire date: Mar 31 23:59:59 2019 GMT
*  subjectAltName: host "cdnjs.cloudflare.com" matched cert's "*.cloudflare.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x562bb47bde40)
> GET /ajax/libs/stats.js/r16/Stats.min.js HTTP/1.1
> Host: cdnjs.cloudflare.com
> User-Agent: curl/7.52.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200 
< date: Sat, 02 Feb 2019 04:16:45 GMT
< content-type: application/javascript
< last-modified: Thu, 17 May 2018 09:25:40 GMT
< etag: W/"5afd4a94-6d7"
< expires: Thu, 23 Jan 2020 04:16:45 GMT
< cache-control: public, max-age=30672000
< access-control-allow-origin: *
< served-in-seconds: 0.000
< cf-cache-status: HIT
< strict-transport-security: max-age=15780000; includeSubDomains
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 4a29d81c4fb3c5f6-EWR
< 
var Stats=function(){function e(e){return n.appendChild(e.dom),e}function t(e){for(var t=0;t<n.children.length;t++)n.children[t].style.display=t===e?"block":"none";l=e}var l=0,n=document.createElement("div");n.style.cssText="cursor:pointer;opacity:0.9",n.addEventListener("click",function(e){e.preventDefault(),t(++l%n.children.length)},!1);var a=(performance||Date).now(),i=a,o=0,r=e(new Stats.Panel("FPS","#0ff","#002")),f=e(new Stats.Panel("MS","#0f0","#020"));if(self.performance&&self.performance.memory)var c=e(new Stats.Panel("MB","#f08","#201"));return t(0),{REVISION:16,domElement:n,addPanel:e,showPanel:t,setMode:t,begin:function(){a=(performance||Date).now()},end:function(){o++;var e=(performance||Date).now();if(f.update(e-a,200),e>i+1e3&&(r.update(1e3*o/(e-i),100),i=e,o=0,c)){var t=performance.memory;c.update(t.usedJSHeapSize/1048576,t.jsHeapSizeLimit/1048576)}return e},update:function(){a=this.end()}}};Stats.Panel=function(e,t,l){var n=1/0,a=0,i=Math.round,o=i(window.devicePixelRatio||1),r=80*o,f=48*o,c=* Curl_http_done: called premature == 0
* Connection #0 to host cdnjs.cloudflare.com left intact
3*o,d=2*o,s=3*o,p=15*o,u=74*o,m=30*o,h=document.createElement("canvas");h.width=r,h.height=f,h.style.cssText="width:80px;height:48px";var S=h.getContext("2d");return S.font="bold "+9*o+"px Helvetica,Arial,sans-serif",S.textBaseline="top",S.fillStyle=l,S.fillRect(0,0,r,f),S.fillStyle=t,S.fillText(e,c,d),S.fillRect(s,p,u,m),S.fillStyle=l,S.globalAlpha=.9,S.fillRect(s,p,u,m),{dom:h,update:function(f,v){n=Math.min(n,f),a=Math.max(a,f),S.fillStyle=l,S.globalAlpha=1,S.fillRect(0,0,r,p),S.fillStyle=t,S.fillText(i(f)+" "+e+" ("+i(n)+"-"+i(a)+")",c,d),S.drawImage(h,s+o,p,u-o,m,s,p,u-o,m),S.fillRect(s+u-o,p,o,m),S.fillStyle=l,S.globalAlpha=.9,S.fillRect(s+u-o,p,o,i((1-f/v)*m))}}},"object"==typeof module&&(module.exports=Stats);
@PeterDaveHello

This comment has been minimized.

Copy link
Member

commented Feb 2, 2019

@MattIPv4 not sure if you cloned the new-website repo yet(as you sent some PRs), my email is in the commit log author info :)

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 2, 2019

It appears this issue has been fully resolved so I will close this issue for now. 🎉

@MattIPv4 MattIPv4 closed this Feb 2, 2019

@MattIPv4 MattIPv4 unpinned this issue Feb 2, 2019

@simonmysun

This comment has been minimized.

Copy link

commented Feb 3, 2019

Hi @MattIPv4,

Would you pleas have a look at mine? It seems to be another issue.

Thanks.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 3, 2019

@simonmysun Examples of your issue would be greatly appreciated. I have never seen an SRI mismatch occur here, nor do I understand what you mean by the wrong file?

@simonmysun

This comment has been minimized.

Copy link

commented Feb 3, 2019

@MattIPv4 My post includes two examples. In order not to engage too much space I wrapped them with detail summary tags. You might have to click the black triangles to view them.

screenshot_2019-02-03_17-17-23

I also found out from the image that I didn't copied the complete result (I have corrected it in the post) but it is not important.

In the first example the server responded an error. and the error message matches its SRI. In the second example the correct resource is returned, but cannot match the SRI. Both examples can be reproduced on my laptop in China and my VPS in Digital Ocean in New York.

It's weird.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 3, 2019

@simonmysun Sorry for missing those, my theme didn't display the arrows.
Having tried both the files you referenced with the SRI values provided from the CDNJS website, both validate fine when loaded in a browser..?

@simonmysun

This comment has been minimized.

Copy link

commented Feb 3, 2019

Then it's more weird.

Mine here cannot load both resources correctly.

screenshot_2019-02-03_17-40-43

As you can see. The computed hash sum of stats.min.js at r16 by my browser(Chromium | 71.0.3578.98 (Official Build) Arch Linux (64-bit)) is as before. It doesn't match.

About the other one, you can see that the response is only an error message. I see that the response sizes in your screenshot are totally differently from mine(r16: 1.1KB, r17: 117B, there is no "Content-Length" in r16 response, btw).

screenshot_2019-02-03_17-51-22

Whatever they are, neither of them should be 97B.

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 3, 2019

@simonmysun have you tried loading them without SRI and with cache disabled to check their contents?

@simonmysun

This comment has been minimized.

Copy link

commented Feb 3, 2019

@MattIPv4 Yes of course. Without SRI they can be loaded. But the stats.min.js at version r17 is still this only line of code:

// Error: Unexpected token: punc ({)
@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 3, 2019

@simonmysun It would appear that is the contents of the file we have for stats.min.js r17: https://github.com/cdnjs/cdnjs/blob/master/ajax/libs/stats.js/r17/Stats.min.js

@PeterDaveHello Is this an issue with the automatic minification done by the bot?

@simonmysun

This comment has been minimized.

Copy link

commented Feb 3, 2019

@MattIPv4 Right. Thanks. I think we have one more stop to the fixing of the problem.

What about the SRI mismatch of r16?

The request status would be 200 but blocked by the browser. Is it also blocked in yours?

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Feb 3, 2019

@simonmysun Yeah I'll wait for peter to respond about the bad file. It appears that yes, the SRI also fails on r16 so I wonder if this library in general is unhappy for some reason.

It might be best to move back to your original separate issue as it appears this is indeed unrelated to this CORS/404 issue.

@simonmysun

This comment has been minimized.

Copy link

commented Feb 3, 2019

Thanks. No hurry please. It seems that nobody found out this in previous two years. I would always be happy to help improving.

@amuqeet

This comment has been minimized.

Copy link

commented Jul 2, 2019

Having an issue with the resource:

https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js

In Chrome gives a "No 'Access-Control-Allow-Origin' header" error.
In browser get a "Error 1023 - Could not find host"

@MattIPv4

This comment has been minimized.

Copy link
Member

commented Jul 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.