Inconsistent CORS on Images

Wsparcie The Movie Database

stworzony przez rhyswilliamsza
STAFFMOD
10 grudnia 2024 o godz. 8:58AM

Hi There

I am experiencing a little bit of a CORS issue with displaying images via TMDB BunnyCDN endpoint.

Image Without CORS Headers: https://image.tmdb.org/t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg Image With CORS Headers: https://image.tmdb.org/t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg

It appears that the Access-Control-Allow-Origin and Access-Control-Expose-Headers headers are inconsistently being set. I see that they're returned only when the Origin header is set, however it appears that they are sometimes not returned, even if Origin is set.

Just wanted to check whether there is a change ongoing that may be affecting this, or whether I should dig a bit more my side to see if there are any changes in the request payloads that could be triggering this behaviour.

Thank you!

2 odpowiedzi (strona 1 z 1)

• Jump to last post

Odpowiedź użytkownika Travis Bell

STAFFMOD

10 grudnia 2024 o godz. 10:48AM

Hi @rhyswilliamsza,

I'm not seeing any difference with those two images:

curl -v -H "Origin: www.themoviedb.org" "https://image.tmdb.org/t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg"

* Host image.tmdb.org:443 was resolved.
* IPv6: (none)
* IPv4: 169.150.249.162
*   Trying 169.150.249.162:443...
* Connected to image.tmdb.org (169.150.249.162) port 443
* ALPN: curl offers h2,http/1.1
...

> GET /t/p/w1280/xOMo8BRK7PfcJv9JCnx7s5hj0PX.jpg HTTP/2
> Host: image.tmdb.org
> User-Agent: curl/8.7.1
> Accept: */*
> Origin: www.themoviedb.org
>
* Request completely sent off
< HTTP/2 200
< date: Tue, 10 Dec 2024 15:44:09 GMT
< content-type: image/jpeg
< content-length: 60857
< server: BunnyCDN-LA1-1108
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: CA
< cache-control: public, max-age=31919000
< etag: "6644d076-edb9"
< last-modified: Wed, 15 May 2024 15:10:46 GMT
< cdn-storageserver: NY-268
< cdn-requestpullsuccess: True
< cdn-fileserver: 674
< perma-cache: HIT
< cdn-proxyver: 1.06
< cdn-requestpullcode: 200
< cdn-cachedat: 11/03/2024 12:23:49
< cdn-edgestorageid: 899
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 5b1e3eddef7f57a580cbf3c6be731433
< cdn-cache: HIT
< accept-ranges: bytes
< access-control-allow-origin: *
< access-control-expose-headers: *

And:

curl -v -H "Origin: www.themoviedb.org" "https://image.tmdb.org/t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg"

* Host image.tmdb.org:443 was resolved.
* IPv6: (none)
* IPv4: 169.150.249.162
*   Trying 169.150.249.162:443...
* Connected to image.tmdb.org (169.150.249.162) port 443
* ALPN: curl offers h2,http/1.1
...

> GET /t/p/w1280/eN3NJkb8SDiMtjXTfoE6CZDMWpu.jpg HTTP/2
> Host: image.tmdb.org
> User-Agent: curl/8.7.1
> Accept: */*
> Origin: www.themoviedb.org
>
* Request completely sent off
< HTTP/2 200
< date: Tue, 10 Dec 2024 15:44:21 GMT
< content-type: image/jpeg
< content-length: 119116
< server: BunnyCDN-LA1-1108
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: CA
< cache-control: public, max-age=31919000
< etag: "6754bd76-1d14c"
< last-modified: Sat, 07 Dec 2024 21:26:14 GMT
< cdn-storageserver: NY-427
< cdn-requestpullsuccess: True
< cdn-fileserver: 628
< perma-cache: HIT
< cdn-proxyver: 1.06
< cdn-requestpullcode: 200
< cdn-cachedat: 12/07/2024 21:44:24
< cdn-edgestorageid: 907
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 65aa17b37173d466ed26619330e2ada5
< cdn-cache: HIT
< accept-ranges: bytes
< access-control-allow-origin: *
< access-control-expose-headers: *

Can you show me the request and response you're making?

Odpowiedź użytkownika rhyswilliamsza

STAFFMOD

10 grudnia 2024 o godz. 11:02AM

Thanks! I was also struggling to reproduce via CURL but wasn't sure if it was perhaps intermittent. I'm investigating a few chrome behaviours that may be related, and will let you know if I manage to capture the issue coming from the CDN side (main theory is that it's local for now).

Chrome Results using Fetch:

fetch("https://image.tmdb.org/t/p/w1280/m2hs6YPVrzjvRC21SE9BeXtgqFW.jpg", {
  "headers": {
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"macOS\""
  },
  "referrer": "http://localhost:8081/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
}).then(console.log);
Promise {<pending>}
Response {type: 'cors', url: 'https://image.tmdb.org/t/p/w1280/m2hs6YPVrzjvRC21SE9BeXtgqFW.jpg', redirected: false, status: 200, ok: true, …}

fetch("https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg", {
  "headers": {
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"macOS\""
  },
  "referrer": "http://localhost:8081/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
}).then(console.log);
Promise {<pending>}
movies:1 Access to fetch at 'https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg' from origin 'http://localhost:8081' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.Understand this errorAI
VM3846:1
       GET https://image.tmdb.org/t/p/w1280/9tIgF5Ht9ndLJEwv2e6TZrExMKw.jpg net::ERR_FAILED
(anonymous) @ VM3846:1Understand this errorAI
VM3846:1
       Uncaught (in promise) TypeError: Failed to fetch
    at <anonymous>:1:1

Użytkownicy w dyskusji

Kategorie

Wsparcie The Movie Database