Inconsistent CORS on Images

Suporte do The Movie Database

publicado por rhyswilliamsza
STAFFMOD
em 10 dezembro 2024 às 8:58 AM

Hi There

I am experiencing a little bit of a CORS issue with displaying images via TMDB BunnyCDN endpoint.

Image Without CORS Headers: https://image.tmdb.org/t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg Image With CORS Headers: https://image.tmdb.org/t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg

It appears that the Access-Control-Allow-Origin and Access-Control-Expose-Headers headers are inconsistently being set. I see that they're returned only when the Origin header is set, however it appears that they are sometimes not returned, even if Origin is set.

Just wanted to check whether there is a change ongoing that may be affecting this, or whether I should dig a bit more my side to see if there are any changes in the request payloads that could be triggering this behaviour.

Thank you!

2 respostas (na página 1 de 1)

• Jump to last post

Resposta de Travis Bell

STAFFMOD

em 10 dezembro 2024 às 10:48 AM

Hi @rhyswilliamsza,

I'm not seeing any difference with those two images:

curl -v -H "Origin: www.themoviedb.org" "https://image.tmdb.org/t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg"

* Host image.tmdb.org:443 was resolved.
* IPv6: (none)
* IPv4: 169.150.249.162
*   Trying 169.150.249.162:443...
* Connected to image.tmdb.org (169.150.249.162) port 443
* ALPN: curl offers h2,http/1.1
...

> GET /t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg HTTP/2
> Host: image.tmdb.org
> User-Agent: curl/8.7.1
> Accept: */*
> Origin: www.themoviedb.org
>
* Request completely sent off
< HTTP/2 200
< date: Tue, 10 Dec 2024 15:44:09 GMT
< content-type: image/jpeg
< content-length: 60857
< server: BunnyCDN-LA1-1108
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: CA
< cache-control: public, max-age=31919000
< etag: "6644d076-edb9"
< last-modified: Wed, 15 May 2024 15:10:46 GMT
< cdn-storageserver: NY-268
< cdn-requestpullsuccess: True
< cdn-fileserver: 674
< perma-cache: HIT
< cdn-proxyver: 1.06
< cdn-requestpullcode: 200
< cdn-cachedat: 11/03/2024 12:23:49
< cdn-edgestorageid: 899
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 5b1e3eddef7f57a580cbf3c6be731433
< cdn-cache: HIT
< accept-ranges: bytes
< access-control-allow-origin: *
< access-control-expose-headers: *

And:

curl -v -H "Origin: www.themoviedb.org" "https://image.tmdb.org/t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg"

* Host image.tmdb.org:443 was resolved.
* IPv6: (none)
* IPv4: 169.150.249.162
*   Trying 169.150.249.162:443...
* Connected to image.tmdb.org (169.150.249.162) port 443
* ALPN: curl offers h2,http/1.1
...

> GET /t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg HTTP/2
> Host: image.tmdb.org
> User-Agent: curl/8.7.1
> Accept: */*
> Origin: www.themoviedb.org
>
* Request completely sent off
< HTTP/2 200
< date: Tue, 10 Dec 2024 15:44:21 GMT
< content-type: image/jpeg
< content-length: 119116
< server: BunnyCDN-LA1-1108
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: CA
< cache-control: public, max-age=31919000
< etag: "6754bd76-1d14c"
< last-modified: Sat, 07 Dec 2024 21:26:14 GMT
< cdn-storageserver: NY-427
< cdn-requestpullsuccess: True
< cdn-fileserver: 628
< perma-cache: HIT
< cdn-proxyver: 1.06
< cdn-requestpullcode: 200
< cdn-cachedat: 12/07/2024 21:44:24
< cdn-edgestorageid: 907
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 65aa17b37173d466ed26619330e2ada5
< cdn-cache: HIT
< accept-ranges: bytes
< access-control-allow-origin: *
< access-control-expose-headers: *

Can you show me the request and response you're making?

Resposta de rhyswilliamsza

STAFFMOD

em 10 dezembro 2024 às 11:02 AM

Thanks! I was also struggling to reproduce via CURL but wasn't sure if it was perhaps intermittent. I'm investigating a few chrome behaviours that may be related, and will let you know if I manage to capture the issue coming from the CDN side (main theory is that it's local for now).

Chrome Results using Fetch:

fetch("https://image.tmdb.org/t/p/w1280/m2hs6YPVrzjvRC21SE9BeXtgqFW.jpg", {
  "headers": {
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"macOS\""
  },
  "referrer": "http://localhost:8081/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
}).then(console.log);
Promise {<pending>}
Response {type: 'cors', url: 'https://image.tmdb.org/t/p/w1280/m2hs6YPVrzjvRC21SE9BeXtgqFW.jpg', redirected: false, status: 200, ok: true, …}

fetch("https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg", {
  "headers": {
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"macOS\""
  },
  "referrer": "http://localhost:8081/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
}).then(console.log);
Promise {<pending>}
movies:1 Access to fetch at 'https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg' from origin 'http://localhost:8081' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.Understand this errorAI
VM3846:1
       GET https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg net::ERR_FAILED
(anonymous) @ VM3846:1Understand this errorAI
VM3846:1
       Uncaught (in promise) TypeError: Failed to fetch
    at <anonymous>:1:1

Utilizadores nesta Discussão

Categorias

Suporte do The Movie Database