That Apache config suggestion is not correct. It would apply to everything served.

Not sure what is needed though. Do you need this Apache config to be changed for l10n.gnome.org?

My suggestion is to add "l10n.gnome.org" (or "*" if you want to authorize any origin) as an authorized origin for "video/ogg" type in the Apache configuration of the git.gnome.org server.

After some research, I think the Apache config *could be* something like this (assuming mod_headers is enabled):
<Files  "*.ogv">
  Header set Access-Control-Allow-Origin "http://l10n.gnome.org"
</Files>

Could you change damned-lies to look for files at:
  http://git.gnome.org/browse/
instead of:
  http://git.gnome.org/cgit/


Everything below browse is handled by cgit, see http://hjemli.net/git/cgit/.

There is a config option to set the mime type, which I have done. There is nothing for adding headers. Your solution will not work, this is only if Apache serves the files, which is not the case here.

I could still set that header for everything on git.gnome.org, but I am not sure what impact that will have.

(In reply to comment #3)
> Could you change damned-lies to look for files at:
>   http://git.gnome.org/browse/
> instead of:
>   http://git.gnome.org/cgit/

Done.

> Everything below browse is handled by cgit, see http://hjemli.net/git/cgit/.
> 
> There is a config option to set the mime type, which I have done. There is
> nothing for adding headers. Your solution will not work, this is only if Apache
> serves the files, which is not the case here.

Really? When I query any /browse/... page, I'm seeing "Apache" in the server HTTP response, e.g.:

Date:Sat, 24 Apr 2010 15:41:02 GMT
Server:Apache/2.2.3 (Red Hat)
Content-Disposition:inline; filename="iconcache.txt"

Olav, look at the cgit.conf under /etc/httpd/conf.d/. I fixed that yesterday but something came up and I wasn't able to get rid of the ETag. Other than that, the magic header shows when I do a netcat head request to one of those videos under the cgit /browse URL

Getting rid of the Etag sounds like magic voodoo to me. It certainly isn't a good idea in general (scope beyond the .ogv files) - we got the CGIT upstream to *add* the Etag to optimize being able to not download unchanged files.

Do NOT remove the ETag. The information from the given URLs is wrong. I know cgit allows etag to be turned off, I disagree that it should be done. FWIW, it already loads the video files partly.

Claude: Apache is the server yes, but it isn't serving a file. It is handled by a cgi program called cgit. This generates the headers.

Regarding Access-Control-Allow-Origin. I noticed that either Apache trunk or something else makes mod_headers way more advanced. Advanced enough to allow it AFAICS. But that version is not released and obviously not on RHEL5. Adding that header for everything might introduce security problems as everything in git will now be able to be accessed. Though we can limit it to l10n.gnome.org, this would mean git relies on the security of l10n. I want to avoid that if possible. Though if there really is no sane way (thought about patching cgit) then maybe we'll have to do it.

(In reply to comment #7)
> Claude: Apache is the server yes, but it isn't serving a file. It is handled by
> a cgi program called cgit. This generates the headers.

Sorry, of course <Files> only applies to filesystem files served by Apache.
Wouldn't LocationMatch do the trick?

<LocationMatch "\.ogv$">
  Header set Access-Control-Allow-Origin "http://l10n.gnome.org"
</Files>

Did something very similar:

  <LocationMatch "/browse/[^/]+/plain/.*\.ogv$">
    Header set Access-Control-Allow-Origin "http://l10n.gnome.org"
  </LocationMatch>

Still doesn't seem to work as I expect. Maybe because of the link around the <video> element?

Oh great, it's working now! (Firefox 3.5)
I will indeed remove the link around the <video> element, because it makes no sense for videos. Thanks for you help, Olav.