Inconsistent CORS on Images

The Movie Database 支持

rhyswilliamsza
STAFFMOD
发布于 2024 年 12 月 10 日 8:58上午

Hi There

I am experiencing a little bit of a CORS issue with displaying images via TMDB BunnyCDN endpoint.

Image Without CORS Headers: https://image.tmdb.org/t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg Image With CORS Headers: https://image.tmdb.org/t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg

It appears that the Access-Control-Allow-Origin and Access-Control-Expose-Headers headers are inconsistently being set. I see that they're returned only when the Origin header is set, however it appears that they are sometimes not returned, even if Origin is set.

Just wanted to check whether there is a change ongoing that may be affecting this, or whether I should dig a bit more my side to see if there are any changes in the request payloads that could be triggering this behaviour.

Thank you!

2 回复（第 1 页，共 1 页）

• Jump to last post

Travis Bell 的回复

STAFFMOD

于 2024 年 12 月 10 日 10:48上午

Hi @rhyswilliamsza,

I'm not seeing any difference with those two images:

curl -v -H "Origin: www.themoviedb.org" "https://image.tmdb.org/t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg"

* Host image.tmdb.org:443 was resolved.
* IPv6: (none)
* IPv4: 169.150.249.162
*   Trying 169.150.249.162:443...
* Connected to image.tmdb.org (169.150.249.162) port 443
* ALPN: curl offers h2,http/1.1
...

> GET /t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg HTTP/2
> Host: image.tmdb.org
> User-Agent: curl/8.7.1
> Accept: */*
> Origin: www.themoviedb.org
>
* Request completely sent off
< HTTP/2 200
< date: Tue, 10 Dec 2024 15:44:09 GMT
< content-type: image/jpeg
< content-length: 60857
< server: BunnyCDN-LA1-1108
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: CA
< cache-control: public, max-age=31919000
< etag: "6644d076-edb9"
< last-modified: Wed, 15 May 2024 15:10:46 GMT
< cdn-storageserver: NY-268
< cdn-requestpullsuccess: True
< cdn-fileserver: 674
< perma-cache: HIT
< cdn-proxyver: 1.06
< cdn-requestpullcode: 200
< cdn-cachedat: 11/03/2024 12:23:49
< cdn-edgestorageid: 899
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 5b1e3eddef7f57a580cbf3c6be731433
< cdn-cache: HIT
< accept-ranges: bytes
< access-control-allow-origin: *
< access-control-expose-headers: *

And:

curl -v -H "Origin: www.themoviedb.org" "https://image.tmdb.org/t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg"

* Host image.tmdb.org:443 was resolved.
* IPv6: (none)
* IPv4: 169.150.249.162
*   Trying 169.150.249.162:443...
* Connected to image.tmdb.org (169.150.249.162) port 443
* ALPN: curl offers h2,http/1.1
...

> GET /t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg HTTP/2
> Host: image.tmdb.org
> User-Agent: curl/8.7.1
> Accept: */*
> Origin: www.themoviedb.org
>
* Request completely sent off
< HTTP/2 200
< date: Tue, 10 Dec 2024 15:44:21 GMT
< content-type: image/jpeg
< content-length: 119116
< server: BunnyCDN-LA1-1108
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: CA
< cache-control: public, max-age=31919000
< etag: "6754bd76-1d14c"
< last-modified: Sat, 07 Dec 2024 21:26:14 GMT
< cdn-storageserver: NY-427
< cdn-requestpullsuccess: True
< cdn-fileserver: 628
< perma-cache: HIT
< cdn-proxyver: 1.06
< cdn-requestpullcode: 200
< cdn-cachedat: 12/07/2024 21:44:24
< cdn-edgestorageid: 907
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 65aa17b37173d466ed26619330e2ada5
< cdn-cache: HIT
< accept-ranges: bytes
< access-control-allow-origin: *
< access-control-expose-headers: *

Can you show me the request and response you're making?

rhyswilliamsza 的回复

STAFFMOD

于 2024 年 12 月 10 日 11:02上午

Thanks! I was also struggling to reproduce via CURL but wasn't sure if it was perhaps intermittent. I'm investigating a few chrome behaviours that may be related, and will let you know if I manage to capture the issue coming from the CDN side (main theory is that it's local for now).

Chrome Results using Fetch:

fetch("https://image.tmdb.org/t/p/w1280/m2hs6YPVrzjvRC21SE9BeXtgqFW.jpg", {
  "headers": {
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"macOS\""
  },
  "referrer": "http://localhost:8081/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
}).then(console.log);
Promise {<pending>}
Response {type: 'cors', url: 'https://image.tmdb.org/t/p/w1280/m2hs6YPVrzjvRC21SE9BeXtgqFW.jpg', redirected: false, status: 200, ok: true, …}

fetch("https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg", {
  "headers": {
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"macOS\""
  },
  "referrer": "http://localhost:8081/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
}).then(console.log);
Promise {<pending>}
movies:1 Access to fetch at 'https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg' from origin 'http://localhost:8081' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.Understand this errorAI
VM3846:1
       GET https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg net::ERR_FAILED
(anonymous) @ VM3846:1Understand this errorAI
VM3846:1
       Uncaught (in promise) TypeError: Failed to fetch
    at <anonymous>:1:1

关注此讨论的用户

分类

The Movie Database 支持