LBRYCommunity/spee.ch
1
0
Fork 0
Code Issues 95 Pull requests 2 Projects Releases 4 Packages Wiki Activity

Add support for CORS #624

New issue
Open
opened 2018-10-10 00:31:45 +02:00 by NetOpWibby · 5 comments
NetOpWibby commented 2018-10-10 00:31:45 +02:00 (Migrated from github.com)
Copy link

For the meme creator on .tech, I was linking to images hosted on spee.ch. However, security issues prevented publishing. From MDN:

As soon as you draw into a canvas any data that was loaded from another origin without CORS approval, the canvas becomes tainted. A tainted canvas is one which is no longer considered secure, and any attempts to retrieve image data back from the canvas will cause an exception to be thrown.

For the meme creator on .tech, I was linking to images hosted on spee.ch. However, security issues prevented publishing. From [MDN](https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image): > As soon as you draw into a canvas any data that was loaded from another origin without CORS approval, the canvas becomes **tainted**. A tainted canvas is one which is no longer considered secure, and any attempts to retrieve image data back from the canvas will cause an exception to be thrown.
kauffj commented 2018-10-10 16:06:35 +02:00 (Migrated from github.com)
Copy link

CORS doesn't allow multiple allowed origins, so the options are:

  1. Send Access-Control-Allow-Origin: * and accept security downsides
  2. Check if referrer is from [lbry.tech, lbry.io, lbry.fund, ???] and return Access-Control-Allow-Origin: <allowed_domain>.
CORS doesn't allow multiple allowed origins, so the options are: 1) Send `Access-Control-Allow-Origin: *` and accept security downsides 2) Check if referrer is from `[lbry.tech, lbry.io, lbry.fund, ???]` and return `Access-Control-Allow-Origin: <allowed_domain>`.
kauffj commented 2018-12-10 22:47:40 +01:00 (Migrated from github.com)
Copy link

@NetOperatorWibby can you confirm this is working as intended for you now?

@NetOperatorWibby can you confirm this is working as intended for you now?
NetOpWibby commented 2018-12-12 19:47:12 +01:00 (Migrated from github.com)
Copy link

@kauffj Just remembered this. It is not working as intended.

SecurityError: The operation is insecure.

This is only with linking images from spee.ch to the meme creator on the Playground. The spee.ch images linked on the community page on .tech work. Publishing with images not served from .tech itself creates the above error.

@kauffj Just remembered this. It is _not_ working as intended. ``` SecurityError: The operation is insecure. ``` This is only with linking images from spee.ch to the meme creator on the Playground. The spee.ch images linked on the community page on .tech work. Publishing with images not served from .tech itself creates the above error.
jessopb commented 2018-12-12 22:41:10 +01:00 (Migrated from github.com)
Copy link

@NetOperatorWibby can you describe the steps to test this?
Alternately, can you verify that it's a problem for all browsers or specific browsers?

@NetOperatorWibby can you describe the steps to test this? Alternately, can you verify that it's a problem for all browsers or specific browsers?
NetOpWibby commented 2018-12-12 22:50:10 +01:00 (Migrated from github.com)
Copy link

@jessopb

This issue affects Firefox and Chrome. The issue persists in production as well.

@jessopb - Check out lbry.tech locally - Uncomment the lines in this section: https://github.com/lbryio/lbry.tech/blob/master/app/sockets.js#L196-L213 - Go to `/playground` and visit the Publish example - Make sure you have your browser inspector open and the console tab is activated - Hit "Submit" This issue affects Firefox and Chrome. The issue persists in production as well.
👍 1
This discussion has been locked. Commenting is limited to contributors.
No Branch/Tag specified
Branches Tags
master
dependabot/npm_and_yarn/ws-6.2.2
dependabot/npm_and_yarn/browserslist-4.16.6
release
staging
redirect2
redirectTv
updateMessaging
fixesJan20
dmca-fix
cors2
speechCors
cors
revert-1025-dependabot/npm_and_yarn/sequelize-5.3.0
ipWhitelist
lenientPublishLimits
noMetrics
securityPatch
fix-abandon
0.37-fixes
loggingImprovements
botnice
revert-995-master
revert-996-staging
ftl-staging
antimedia-staging
jessopb-docs-2019-2
dev1
dev2
v0.5.12
0.5.11
0.5.10
0.5.9
Labels
Clear labels   
area: devops

   
area: discovery

   
area: docs

   
area: livestream

   
area: proposal

Work is part of a proposal

  
consider soon

Discuss this issue at the next planning meeting, then remove this label

  
dependencies

Pull requests that update a dependency file

  
Epic

   
good first issue

   
hacktoberfest

Welcome to Hacktoberfest

  
help wanted

   
icebox

Long-term storage

  
level: 1

No knowledge of the existing code required

  
level: 2

Some knowledge of the existing code is recommended

  
level: 3

Significant knowledge of the existing code is recommended

  
level: 4

Intimate knowledge of the existing code is recommended

  
needs: exploration

Solution unclear, needs research

  
needs: grooming

Issue needs to be groomed before work can start

  
needs: priority

Priority level needs to be defined

  
needs: repro

Issue needs step-by-step instructions on how to reproduce in latest code

  
needs: tech design

Needs technical design signoff before implementation can begin

  
on hold

Temporarily paused

  
Osprey

Spee.ch special project

  
priority: blocker

Issue is blocking release, do ASAP

  
priority: high

Work needs to be moved into sprint ASAP

  
priority: low

Work should be done but can stay in the backlog for now

  
priority: medium

Work needs to be done within 2-3 sprints

  
protocol dependent

   
resilience

   
Tom's Wishlist

   
type: bug

Existing functionality is wrong or broken

  
type: discussion

A conversation. No specific changes requested

  
type: error handling

   
type: improvement

Existing (or partially existing) functionality needs to be changed

  
type: new feature

New functionality that does not exist yet

  
type: refactor

Minimal user-visible changes, but significant internal work

  
type: task

Either work that's not related to the code, or a small chore that does not fit into other categories

  
type: testing

Solution needs additional user testing

  
unplanned

Work that was not planned into the spirnt, took priority over planned work

No labels
area: devops
area: discovery
area: docs
area: livestream
area: proposal
consider soon
dependencies
Epic
good first issue
hacktoberfest
help wanted
icebox
level: 1
level: 2
level: 3
level: 4
needs: exploration
needs: grooming
needs: priority
needs: repro
needs: tech design
on hold
Osprey
priority: blocker
priority: high
priority: low
priority: medium
protocol dependent
resilience
Tom's Wishlist
type: bug
type: discussion
type: error handling
type: improvement
type: new feature
type: refactor
type: task
type: testing
unplanned
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: LBRYCommunity/spee.ch#624
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?