crossorigin issues in gerrit version 2.14.4

[cedar.b...@gmail.com]

Hi,

So I am using the polygerrit version 2.14.4 and it seems that the below two links on the home page don't have cross-origin set to anonymous:

<link rel="preload" href="/fonts/SourceCodePro-Regular.woff2", as="font" type="font/woff2" crossorigin>

<link rel="preload" href="/fonts/SourceCodePro-Regular.woff" as="font" type="font/woff" crossorigin>

The third one, however, is fine: 
<link rel="preload" href="/elements/gr-app.js" as="script" crossorigin="anonymous">

Is this intentional and is there a way to fix it? 

Thanks,

--Jason

[Gert van Dijk]

The HTML attributes you're seeing are part of the template in the source code. It mentions the following comment regarding the use of the 'crossorigin' attribute:

  // @see https://github.com/w3c/preload/issues/32 regarding crossorigin

In that GitHub issue, the use of 'anonymous' is discussed, but I don't seem to understand the details of this.

It makes sense to me to explicitly fetch fonts anonymously (ie. without cookies or other credentials), but wouldn't it also put up a burden for those who will have a simple authenticating reverse proxy installed which simply restricts '/' on the Gerrit site? Hmm, well, as you mentioned in your post, already another resource (script) is marked anonymously for CORS and that would work the same way.

If we agree on that it is 'broken' currently, please file a bug report and we can (easily) solve this. I'm not aware of any way to override the main HTML page as a site-local configuration, but others may know a way.

FWIW - I checked the situation on stable-2.15 and master and it's unchanged (just the font itself has been replaced by Roboto).

[cedar.b...@gmail.com]

Okay, I will file a bug report and possibly add information here about it. Thank You

Thanks!

[cedar.b...@gmail.com]

Here is the ticket: https://bugs.chromium.org/p/gerrit/issues/detail?id=9483

Thanks!