BUGFIX: re-enable CDN js debugging in a robust way

May be disabled if needed via site setting

app/controllers/static_controller.rb

@@ -57,4 +57,17 @@ class StaticController < ApplicationController
       end
     )
   end
+
+  skip_before_filter :verify_authenticity_token, only: [:cdn_asset]
+  def cdn_asset
+    path = params[:path].gsub(/[^a-zA-Z0-9_\-\.]/, "")
+    path = (Rails.root + "public/assets/" + path).to_s
+    expires_in 1.year, public: true
+    response.headers["Access-Control-Allow-Origin"] = params[:origin]
+    opts = {
+      disposition: nil
+    }
+    opts[:type] = "application/x-javascript" if path =~ /\.js$/
+    send_file(path, opts)
+  end
 end

app/helpers/application_helper.rb

@@ -12,14 +12,14 @@ module ApplicationHelper
   include ConfigurableUrls
 
   def script(*args)
-    # This crazy stuff is needed to get window.onerror working under a CDN
+    if SiteSetting.enable_cdn_js_debugging && GlobalSetting.cdn_url
-    # NGINX change is also required and baked into sample config
+      tags = javascript_include_tag(*args, "crossorigin" => "anonymous")
-    # @sam: disabling this until we update our CDN configuration
+      tags.gsub!("/assets/", "/cdn_asset/#{Discourse.current_hostname.gsub(".","_")}/")
-    #if GlobalSetting.cdn_url
+      tags.gsub!(".js\"", ".js?origin=#{CGI.escape request.base_url}\"")
-    #  javascript_include_tag(*args, "crossorigin" => "anonymous")
+      tags.html_safe
-    #else
+    else
       javascript_include_tag(*args)
-    #end
+    end
   end
 
   def discourse_csrf_tags

config/locales/server.en.yml

@@ -895,6 +895,7 @@ en:
     embed_blacklist_selector: "css selector for elements that are removed from embeds"
     tos_accept_required: "If enabled, users will need to check a box on the signup form to confirm that they accept the terms of service. Edit 'Signup Form: Terms of Service Message' in the Content tab to change the message."
     notify_about_flags_after: "If there are flags that haven't been handled after this many hours, send an email to the contact_email. Set to 0 to disable."
+    enable_cdn_js_debugging: "Allow /logs to display proper errors by adding crossorigin permissions on all js includes"
 
   notification_types:
     mentioned: "%{display_username} mentioned you in %{link}"

config/nginx.sample.conf

@@ -28,7 +28,7 @@ server {
   listen 80;
   gzip on;
   gzip_min_length 1000;
-  gzip_types application/json text/css application/x-javascript;
+  gzip_types application/json text/css application/x-javascript application/javascript;
 
   server_name enter.your.web.hostname.here;
   server_tokens off;
@@ -63,8 +63,6 @@ server {
       expires 1y;
       add_header ETag "";
       add_header Cache-Control public;
-      # enables window.onerror
-      add_header Access-Control-Allow-Origin *;
       break;
     }
 

config/routes.rb

@@ -365,6 +365,8 @@ Discourse::Application.routes.draw do
   post "draft" => "draft#update"
   delete "draft" => "draft#destroy"
 
+  get "cdn_asset/:site/*path" => "static#cdn_asset", format: false
+
   get "robots.txt" => "robots_txt#index"
 
   Discourse.filters.each do |filter|

config/site_settings.yml

@@ -537,3 +537,5 @@ uncategorized:
   public_user_custom_fields:
     list: true
     default: ''
+
+  enable_cdn_js_debugging: true