-
-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
propose fix for CORS issues with missing crossorigin tag #56
Conversation
Hi @PhilETaylor, Indeed, that's an issue in a cross-domain context (which is not always the case). I'm not against adding I would 100% agree with using |
Its the case 100% of the time if you are using a CDN to serve your assets :) I dont have any strong opinion either way, however when I upgraded and deployed to production (which uses a cdn) it broke my site.. hence I had to work out why, document it, and find a solution.. which I have proposed. The current situation is that anyone that follow what I did, updates, enables integrity, and then deploys with assets from a cdn will break their site... |
there are only two options really for the crossorigin attribute. https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_settings_attributes
I've never seen anyone use the latter... but at the moment this feature is BROKEN because deploying assets on a CDN with the integrity attribute and no crossorigin attribute WILL BREAK THE PRODUCTION SITE! (break == asset loading will be blocked by Google Chrome) I would say a quick fix would be the hard coding of crossorigin as proposed by this PR and then further discussion on making it configurable can be had later, it seems #10 has been open since last year with no progress and you cant expect to leave this feature broken for the majority while someone makes that decision |
ok with 768a820 I have now made the value of crossorigin attribute configurable :-) if none is set in the config, then it still defaults to anonymous PLEASE TEST! |
flex recipe also updated here symfony/recipes#562 |
@stof Thanks for the comments... coding on the sofa on laptop is not my best place to code :) also still learning some of the deep symfony stuff :) ... "it works" is not enough :) I'll go grab a coffee and update this PR with your comments - thanks for the feedback |
ok I have settled on
as I found that example in symfony/security-bundle like that :) |
This is ready for testing/feedback again now :) |
@Lyrkan all your feedback has now been applied. Ready for testing/feedback/merging again now |
flex recipe also updated here symfony/recipes#562 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me :)
Maybe we're just missing some test cases for the default and explicit false
values?
In 7eeb941 I have reverted (and renamed) one of the tests so that it renders with no configured attributes, this is a quick win and covers the TagRenderer class only, I guess what is really needed is some coverage of the WebpackEncoreExtension final class to check if the configuration attributes resolve correctly but there was no existing test and im not in the mood for that challenge today, sorry :) :) I have also notices that LOADS of DocBlocks are missing on methods in this bundle - any ideas if that is on purpose or is that another quick win we could make using phpStorm to generate these missing DocBlocks? |
The extension is tested by the webpack-encore-bundle/tests/IntegrationTest.php Lines 147 to 153 in fc18456
Do you have an example of what you'd add? Most methods are already typed (params and return) so it wouldn't be really useful to add the same thing using PHPDoc. Anyway, this should probably be in a separate PR to avoid mixing those changes with the ones here :) |
I'm just not used to seeing code without the additional PHPDoc for every method :-) I'll ignore that for now, phpStorm is great at reading the typehints so doesnt need the documentation to build its index anyway I have added the default crossorigin = false in the IntegrationTest, the tests pass with it set to false, or not there at all. I guess this is ready for merging ? |
Thanks for researching and fixing this Phil - excellent PR! |
…(PhilETaylor, weaverryan) This PR was merged into the master branch. Discussion ---------- propose fix for CORS issues with missing crossorigin tag This fixes #55 and comes with the unit tests too ;-) updated: This PR also allows the value for crossorigin attribute to be defined in the configuration yaml Commits ------- ecad299 Merge branch 'master' into patch-1 04d8091 small docs tweak 95f7d27 making arg optional for BC fee8b91 add default attribute set to false in tests 7eeb941 revert the default test so that it tests with no attribute array a74dee0 tidy up service xml to remove keyed collection fadd432 Apply codestyle from php-cs-fixer fix --config=.php_cs.dist 0b607f7 refactor based on @stof feedback 5eac7b3 correct documentation of configuration 2fb1d3d Fix unit tests 22c971c Allow for no attribute by default, and allow it to be configurable and future proofed array d1866c5 <argument /><!-- crossorigin --> c304692 refine as per feedback 2f83a66 remove additional spaces 4a6325e update documentation 768a820 Allow value for crossorigin attribute to be configurable, defaults to anonymous 9f1e101 fix tests efdc276 fix tests for crossorigin="anonymous" 99e8bce propose fix for CORS issues with missing crossorigin tag
🎉 |
This fixes #55 and comes with the unit tests too ;-)
updated:
This PR also allows the value for crossorigin attribute to be defined in the configuration yaml