Bokeh CDN JS seems to be broken since 05/27/2022

Hello, I have been using Bokeh 1.4.0 for the past year embedded into HTML reports using the JS files from cdn.bokeh.org. Starting yesterday, May 27, 2022, I am now getting Access-Control-Allow-Origin missing errors on multiple browsers that I have tried: Chrome 101.0.4951.67 and Safari.

I am including the scripts into my HTML using the code from the user guide:

<script src="https://cdn.bokeh.org/bokeh/release/bokeh-1.4.0.min.js"
  crossorigin="anonymous"></script>
<script src="https://cdn.bokeh.org/bokeh/release/bokeh-widgets-1.4.0.min.js"
  crossorigin="anonymous"></script>
<script src="https://cdn.bokeh.org/bokeh/release/bokeh-tables-1.4.0.min.js"
  crossorigin="anonymous"></script>
<script src="https://cdn.bokeh.org/bokeh/release/bokeh-gl-1.4.0.min.js"
  crossorigin="anonymous"></script>
</head>

Have certain versions of Bokeh been deprecated and have had the CROS headers disabled on the CDN server? I have tried quite a few versions and many of them appear to be broken in the same way. I am not entirely familiar with CROS, but from what I understand it is a server side response, so I cannot really affect the behavior on my side.

These versions have a CROS missing header error

  • 2.4.3
  • 2.4.1
  • 2.4.0
  • 1.4.0

The following versions work for some reason:

  • 2.4.2
  • 2.0.0 to 2.3.3

Unfortunately a lot of the HTML reports that I have generated rely on the 1.4.0 version and the environment that I am using only has 1.4.0, so I can’t simply upgrade to a working version.

Appreciate the help from the community on this one.
Thanks!

There was a CDN configuration change the other day, but when I left it I was seeing those headers present in curl requests. I’m not sure why they would have stopped being added, or for that matter how different files could have different results, since the entire bucket and CF distribution have a single configuration for all files. I will look at it as soon as I’m back in front of a computer but that will be a few hours at least. In the mean time can you try force reloads just in case that has effect?

Thanks for looking into this Bryan. Force reload and private mode so far has not worked for me. Removing the crossorigin=“anonymous” works, but I would have to go and edit every HTML report ever generated, which is not ideal.

Curiously, even within versions some files work and others do not. For example:

<script src="https://cdn.bokeh.org/bokeh/release/bokeh-2.4.2.min.js"
  crossorigin="anonymous"></script>
<script src="https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.4.2.min.js"
  crossorigin="anonymous"></script>
<script src="https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.4.2.min.js"
  crossorigin="anonymous"></script>
<script src="https://cdn.bokeh.org/bokeh/release/bokeh-gl-2.4.2.min.js"
  crossorigin="anonymous"></script>
</head>

I get the error for two of the four files.

I’m not sure what timezone you are on but if you can hop on a call in 3-4 hours that would really help ensure that a potential fix is an actual fix. Please PM me if so.

Seems to be back to normal after adding the optional Request Header Policy directly on Cloudfront (which I was intending to do anyway):