CORS issue on federated Thumbnails
-
Hey NodeBB community,
First off, we're really loving using NodeBB for our community forums. Federation for the most part works great, and the experience is very, very polished!
We hit a weird snag after upgrading to
v4.4.1today, and I'm trying to decipher whether this is a bug, or simply a user error.TL;DR
Thumbnails uploaded to our forum for category topics and user accounts appear to be broken when viewed from other instances. For example, trying to view
@[email protected]in Akkoma or another piece of Fediverse software appears to fetch an intact profile with a broken image, like so:
I get the resulting error in the inspector when viewing this page:
The resource at “https://forum.wedistribute.org/assets/uploads/category/category-18.png” was blocked due to its Cross-Origin-Resource-Policy header (or lack thereof). See https://developer.mozilla.org/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)#What's really weird about this is that not all images are affected in the same way.User avatars and forum category thumbs that existed prior to a certain upgrade (not sure which) seem to federate just fine.
CORS Config
This is the config I currently have in NodeBB, maybe I'm missing something? Just trying to suss out whether this is something I did, or if perhaps this is a bug.
- Access Control Origin:
* - Access-Control-Allow-Credentials:
true - Access-Control-Allow-Methods:
GET, POST, OPTIONS - Access-Control-Allow-Headers:
DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type - Cross-Origin-Embedder-Policy:
enabled - Cross-Origin-Opener-Policy:
same-origin - Cross-Origin-Resource-Policy:
cross-origin - Permissions-Policy:
blank - Enabled HSTS (recommended):
true
Let me know if there's something I need to account for! I just want to ensure that images load properly from other instances / platforms that we're federating with!
- Access Control Origin:
-
Okay, I think I figured it out! It looks like my browser cache was just aggressively saving thumbnails. A quick flush of my browser cache seems to indicate that everything is okay.
-
Okay, so one slightly weird thing that comes up: certain categories seem to be fetching the wrong image URL when attempting to lookup a forum category.
Here's an example for
[email protected]- URL that should be loaded:
https://forum.wedistribute.org/assets/uploads/category/category-5.png - URL that gets loaded remotely:
https://forum.wedistribute.org/assets/uploads/category/category-5-icon.png
Note: I'm pretty sure this category in particular was created during our initial forum setup, which was the
v4.0.0release. I think category images were handled slightly different then?[email protected] Does NodeBB offer a mechanism for federating out updated image thumbnails for categories? It's pretty common for Fediverse platforms to update user avatars when they get changed, for example.
- URL that should be loaded:
-
Hmm, it looks like now we're having problems on our end with remote images from other platforms:
Maybe our CORS settings were too aggressive?
Getting a lot of error messages that look like this now:
Failed to load ‘https://community.nodebb.org/assets/uploads/profile/uid-2/2-profileavatar-1738544541106.jpeg’. A ServiceWorker passed a promise to FetchEvent.respondWith() that rejected with ‘TypeError: NetworkError when attempting to fetch resource.’. -
Okay, so disabling HSTS and flushing my browser cache again brought remote images back.
It's obvious that I need to crack into the ideal way to configure these things for the Fediverse, might have to replicate how some of my other Fediverse platforms are set up on the Nginx side.
