No cross-origin-resource-policy set on https://cdn.holoviz.org/panel

Panel
1

Hello,
I am trying to run a panel holoviz app in pyodide after converting via panel convert.
Since I have to execute some additional js code from the app which requires cross origin isolation I have to serve the app with Cross-Origin-Embedder-Policy: require-corp.

From the browser console I can see that all the resources served from https://cdn.holoviz.org/panel have no cross-origin-resource-policy set, so they are blocked by the browser.
I could make it work by setting ```Cross-Origin-Embedder-Policy: credentialless``, but this is not supported by all browsers (notably Safari).

Therefore I was wondering if it would be possible to serve the resources from https://cdn.holoviz.org/panel with a cross-origin-resource-policy or it was a decision not to enable it.

1 Like
2

Hi @bevilacqc

I don’t know if its a design decission, but please convert this to a github issue. Then I think it has a better chance of being reviewed as a feature request and implemented.

Thanks.

3

No, we want the CDN with everyone. Could you clearly state what is needed, along with some documentation of its effect, so that I can research it further?

1 Like
4

I am converting a panel app to HTML using the command
panel convert app.py --to pyodide-worker
and serving it from the localhost with
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
The request and response headers for the main app.html look like:

[Request header]

GET /app.html HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: it-IT,it;q=0.9
Cache-Control: no-cache
Connection: keep-alive
Host: localhost:8000
Pragma: no-cache
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
sec-ch-ua: "Google Chrome";v="137", "Chromium";v="137", "Not/A)Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

[Response header]

HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.12.7
Date: Thu, 29 May 2025 09:30:43 GMT
Content-type: text/html
Content-Length: 19940
Last-Modified: Fri, 23 May 2025 13:08:16 GMT
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

Then, when the page is loading, all the resources requested by the browser from https://cdn.holoviz.org/panel are blocked due to no cross-origin-resource-policy set by the server.
I attach the request and response headers just for the first resource that is being requested.
From Chrome:

Chrome headers
Chrome headers1608×1695 257 KB

and Firefox:

[Request header]

GET /panel/1.6.1/dist/bundled/reactiveesm/es-module-shims@%5E1.10.0/dist/es-module-shims.min.js HTTP/2
Host: cdn.holoviz.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Referer: http://localhost:8000/
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Priority: u=2

[Response header]

HTTP/2 200 
content-type: text/javascript
access-control-allow-origin: *
access-control-allow-methods: GET, POST, HEAD
last-modified: Fri, 14 Feb 2025 14:41:47 GMT
server: AmazonS3
x-amz-server-side-encryption: AES256
content-encoding: br
date: Wed, 28 May 2025 10:37:59 GMT
etag: W/"024dd597846c22ce6dbca8c3b251a7e6"
vary: accept-encoding
x-cache: Hit from cloudfront
via: 1.1 d6f2ecdfd53b40c1776d655bd15fdeb0.cloudfront.net (CloudFront)
x-amz-cf-pop: FRA60-P8
x-amz-cf-id: VGQoqbOwfRia8Bjtk_X-4W3viUM8JZM_ovx5GMiw-DVtfHk94MmNpw==
age: 79808
cache-control: max-age=31536000
X-Firefox-Spdy: h2

In my understanding the CDN should set cross-origin-resource-policy: cross-origin in the response header.

Hope this helps, otherwise let me know if I should provide more information.
Thanks

5

We should now have applied cross-origin-resource-policy: cross-origin can you give it a go?

6

I don’t think it’s working, or maybe there’s still some cache that needs to be updated. I used this tool HTTP Header Checker - Check HTTP Response Headers With curl | KeyCDN Tools to fetch cdn.holoviz.org/panel/1.6.3/dist/panel.min.js and I got the following headers:

HTTP/200
content-type: text/javascript
content-length: 733530
date: Tue, 17 Jun 2025 12:54:57 GMT
access-control-allow-origin: *
access-control-allow-methods: GET, POST, HEAD
last-modified: Wed, 23 Apr 2025 16:48:17 GMT
etag: "de1cdfa78adf9365b42c895e1147a499"
x-amz-server-side-encryption: AES256
accept-ranges: bytes
server: AmazonS3
x-cache: Hit from cloudfront
via: 1.1 efb576f3260fb935bd57cce721b78428.cloudfront.net (CloudFront)
x-amz-cf-pop: FRA60-P8
x-amz-cf-id: gTPwqoP3m5BdyMMtQv7El8WgfM2iaVoqrJEU5fi_QFOdQOvx8rse8g==
age: 329
cache-control: max-age=31536000

Notably, cross-origin-resource-policy is missing.

7

As a comparison, here’s the header from a big npm cdn (target page: cdn.jsdelivr.net/npm/jquery@3.6.4/dist/jquery.min.js )

HTTP/200
access-control-allow-origin: *
access-control-expose-headers: *
timing-allow-origin: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
cross-origin-resource-policy: cross-origin
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-type: application/javascript; charset=utf-8
x-jsd-version: 3.6.4
x-jsd-version-type: version
etag: W/"15ec3-7aRnR8cdOKiAvuRPmkOcOFi7j5k"
accept-ranges: bytes
age: 361701
date: Tue, 17 Jun 2025 13:14:53 GMT
x-served-by: cache-fra-etou8220104-FRA
x-cache: HIT
vary: Accept-Encoding
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 89795
8

Can you try again?