Issue with Relative Path Causing CORS Error on Discourse Sites

Bug
1

The following code in lib/highlight_js.rb works on some domains but not others:

def self.path
    "/highlight-js/#{Discourse.current_hostname}/#{version SiteSetting.highlighted_languages}.js"
end

I have two Discourse sites. This code works on the domain www.abc.com, but it doesn’t work on efg.com. In the browser console, I see the following error:

formatter.js:383 Uncaught (in promise) TypeError: Failed to resolve module specifier '/highlight-js/efg.com/9797975efac87d28baa695ae13ca72ccaf5120f5.js'. The base URL is about:blank because import() is called from a CORS-cross-origin script.

After modifying self.path in highlight_js.rb as follows:

def self.path
    "https://#{Discourse.current_hostname}/highlight-js/#{Discourse.current_hostname}/#{version SiteSetting.highlighted_languages}.js"
end

the issue was resolved.

It appears that using a relative path like
import('/highlight-js/efg.com/9797975efac87d28baa695ae13ca72ccaf5120f5.js')
causes a CORS issue, while using an absolute URL,
import('https://efg.com/highlight-js/efg.com/9797975efac87d28baa695ae13ca72ccaf5120f5.js') , works fine.

1 Like
2

Odd that it works with abc.com but not efg.com, since the 2 different routes are completely different :thinking:

3

I mean it works with www.abc.com but not efg.com, not sure why but it happens on my cases

1 Like
4

Are you using a CDN on either of these sites? I have noticed that code highlighting is no longer working on my site, and I think it’s because of this:

In my case, my CDN is not returning an Access-Control-Allow-Origin header for the highlightjs file. I notice that Meta’s CDN does include that header, so I wonder what is different.

$ curl --silent -I https://d3bpeqsaub0i6y.cloudfront.net/highlight-js/meta.discourse.org/9797975efac87d28baa695ae13ca72ccaf5120f5.js | grep -i access-control
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD, OPTIONS

However, those headers are not being served by the origin server:

$ curl --silent -I https://meta.discourse.org/highlight-js/meta.discourse.org/9797975efac87d28baa695ae13ca72ccaf5120f5.js | grep -i access-control
<no output>

As far as I can tell, Discourse is meant to add access-control headers to the highlightjs files:

However, those headers are only applied if the request is a “CDN request”:

This only works if Discourse is configured with a separate host name for “CDN requests”.

1 Like
5

There is a setting, cdn_origin_hostname, which could perhaps be set to the normal discourse host name:

I think this would cause the is_cdn_request check to pass, but I don’t know if it would have any negative side-effects.

6

Yes, I am using a CDN on efg.com, but when I access the js file it do return me a correct Access-Control-Allow-Origin, that quite confused me

7

As a follow up, I set cdn_origin_hostname to the normal domain name of my Discourse instance, flushed the CDN cache, and now highlightjs is working again. I haven’t noticed any side effects…