Inconsistent CORS on Images

The Movie Database Support

posted by rhyswilliamsza
STAFFMOD
on December 10, 2024 at 8:58 AM

Hi There

I am experiencing a little bit of a CORS issue with displaying images via TMDB BunnyCDN endpoint.

Image Without CORS Headers: https://image.tmdb.org/t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg Image With CORS Headers: https://image.tmdb.org/t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg

It appears that the Access-Control-Allow-Origin and Access-Control-Expose-Headers headers are inconsistently being set. I see that they're returned only when the Origin header is set, however it appears that they are sometimes not returned, even if Origin is set.

Just wanted to check whether there is a change ongoing that may be affecting this, or whether I should dig a bit more my side to see if there are any changes in the request payloads that could be triggering this behaviour.

Thank you!

2 replies (on page 1 of 1)

• Jump to last post

Reply by Travis Bell

STAFFMOD

on December 10, 2024 at 10:48 AM

Hi @rhyswilliamsza,

I'm not seeing any difference with those two images:

curl -v -H "Origin: www.themoviedb.org" "https://image.tmdb.org/t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg"

* Host image.tmdb.org:443 was resolved.
* IPv6: (none)
* IPv4: 169.150.249.162
*   Trying 169.150.249.162:443...
* Connected to image.tmdb.org (169.150.249.162) port 443
* ALPN: curl offers h2,http/1.1
...

> GET /t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg HTTP/2
> Host: image.tmdb.org
> User-Agent: curl/8.7.1
> Accept: */*
> Origin: www.themoviedb.org
>
* Request completely sent off
< HTTP/2 200
< date: Tue, 10 Dec 2024 15:44:09 GMT
< content-type: image/jpeg
< content-length: 60857
< server: BunnyCDN-LA1-1108
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: CA
< cache-control: public, max-age=31919000
< etag: "6644d076-edb9"
< last-modified: Wed, 15 May 2024 15:10:46 GMT
< cdn-storageserver: NY-268
< cdn-requestpullsuccess: True
< cdn-fileserver: 674
< perma-cache: HIT
< cdn-proxyver: 1.06
< cdn-requestpullcode: 200
< cdn-cachedat: 11/03/2024 12:23:49
< cdn-edgestorageid: 899
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 5b1e3eddef7f57a580cbf3c6be731433
< cdn-cache: HIT
< accept-ranges: bytes
< access-control-allow-origin: *
< access-control-expose-headers: *

And:

curl -v -H "Origin: www.themoviedb.org" "https://image.tmdb.org/t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg"

* Host image.tmdb.org:443 was resolved.
* IPv6: (none)
* IPv4: 169.150.249.162
*   Trying 169.150.249.162:443...
* Connected to image.tmdb.org (169.150.249.162) port 443
* ALPN: curl offers h2,http/1.1
...

> GET /t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg HTTP/2
> Host: image.tmdb.org
> User-Agent: curl/8.7.1
> Accept: */*
> Origin: www.themoviedb.org
>
* Request completely sent off
< HTTP/2 200
< date: Tue, 10 Dec 2024 15:44:21 GMT
< content-type: image/jpeg
< content-length: 119116
< server: BunnyCDN-LA1-1108
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: CA
< cache-control: public, max-age=31919000
< etag: "6754bd76-1d14c"
< last-modified: Sat, 07 Dec 2024 21:26:14 GMT
< cdn-storageserver: NY-427
< cdn-requestpullsuccess: True
< cdn-fileserver: 628
< perma-cache: HIT
< cdn-proxyver: 1.06
< cdn-requestpullcode: 200
< cdn-cachedat: 12/07/2024 21:44:24
< cdn-edgestorageid: 907
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 65aa17b37173d466ed26619330e2ada5
< cdn-cache: HIT
< accept-ranges: bytes
< access-control-allow-origin: *
< access-control-expose-headers: *

Can you show me the request and response you're making?

Reply by rhyswilliamsza

STAFFMOD

on December 10, 2024 at 11:02 AM

Thanks! I was also struggling to reproduce via CURL but wasn't sure if it was perhaps intermittent. I'm investigating a few chrome behaviours that may be related, and will let you know if I manage to capture the issue coming from the CDN side (main theory is that it's local for now).

Chrome Results using Fetch:

fetch("https://image.tmdb.org/t/p/w1280/m2hs6YPVrzjvRC21SE9BeXtgqFW.jpg", {
  "headers": {
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"macOS\""
  },
  "referrer": "http://localhost:8081/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
}).then(console.log);
Promise {<pending>}
Response {type: 'cors', url: 'https://image.tmdb.org/t/p/w1280/m2hs6YPVrzjvRC21SE9BeXtgqFW.jpg', redirected: false, status: 200, ok: true, …}

fetch("https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg", {
  "headers": {
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"macOS\""
  },
  "referrer": "http://localhost:8081/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
}).then(console.log);
Promise {<pending>}
movies:1 Access to fetch at 'https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg' from origin 'http://localhost:8081' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.Understand this errorAI
VM3846:1
       GET https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg net::ERR_FAILED
(anonymous) @ VM3846:1Understand this errorAI
VM3846:1
       Uncaught (in promise) TypeError: Failed to fetch
    at <anonymous>:1:1

Users In This Discussion

Turkumlar

The Movie Database Support