Skip to content

CORS issue on federated Thumbnails

Uncategorized
5 1 62
  • Hey NodeBB community,

    First off, we're really loving using NodeBB for our community forums. Federation for the most part works great, and the experience is very, very polished!

    We hit a weird snag after upgrading to v4.4.1 today, and I'm trying to decipher whether this is a bug, or simply a user error.

    TL;DR

    Thumbnails uploaded to our forum for category topics and user accounts appear to be broken when viewed from other instances. For example, trying to view @fedimusic@forum.wedistribute.org in Akkoma or another piece of Fediverse software appears to fetch an intact profile with a broken image, like so:

    ad3f8d18-ea0a-4d6a-a0ff-5518024d595c-image.png

    I get the resulting error in the inspector when viewing this page:

    The resource at “https://forum.wedistribute.org/assets/uploads/category/category-18.png” was blocked due to its Cross-Origin-Resource-Policy header (or lack thereof). See https://developer.mozilla.org/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)#

    What's really weird about this is that not all images are affected in the same way.User avatars and forum category thumbs that existed prior to a certain upgrade (not sure which) seem to federate just fine.

    CORS Config

    This is the config I currently have in NodeBB, maybe I'm missing something? Just trying to suss out whether this is something I did, or if perhaps this is a bug.

    • Access Control Origin: *
    • Access-Control-Allow-Credentials: true
    • Access-Control-Allow-Methods: GET, POST, OPTIONS
    • Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
    • Cross-Origin-Embedder-Policy: enabled
    • Cross-Origin-Opener-Policy: same-origin
    • Cross-Origin-Resource-Policy: cross-origin
    • Permissions-Policy: blank
    • Enabled HSTS (recommended): true

    Let me know if there's something I need to account for! I just want to ensure that images load properly from other instances / platforms that we're federating with!

  • support@community.nodebb.orgS support@community.nodebb.org shared this topic
  • Okay, I think I figured it out! It looks like my browser cache was just aggressively saving thumbnails. A quick flush of my browser cache seems to indicate that everything is okay.

  • Okay, so one slightly weird thing that comes up: certain categories seem to be fetching the wrong image URL when attempting to lookup a forum category.

    Here's an example for fediverse@forum.wedistribute.org

    • URL that should be loaded: https://forum.wedistribute.org/assets/uploads/category/category-5.png
    • URL that gets loaded remotely: https://forum.wedistribute.org/assets/uploads/category/category-5-icon.png

    Note: I'm pretty sure this category in particular was created during our initial forum setup, which was the v4.0.0 release. I think category images were handled slightly different then?

    julian@community.nodebb.org Does NodeBB offer a mechanism for federating out updated image thumbnails for categories? It's pretty common for Fediverse platforms to update user avatars when they get changed, for example.

  • Hmm, it looks like now we're having problems on our end with remote images from other platforms:

    Maybe our CORS settings were too aggressive?

    image.png

    Getting a lot of error messages that look like this now:

    Failed to load ‘https://community.nodebb.org/assets/uploads/profile/uid-2/2-profileavatar-1738544541106.jpeg’. A ServiceWorker passed a promise to FetchEvent.respondWith() that rejected with ‘TypeError: NetworkError when attempting to fetch resource.’.

    Link Preview Image
  • Okay, so disabling HSTS and flushing my browser cache again brought remote images back.
    It's obvious that I need to crack into the ideal way to configure these things for the Fediverse, might have to replicate how some of my other Fediverse platforms are set up on the Nginx side.