CORS error in admin product edit page with product images

[ioweb-gr]

Preconditions and environment

• 2.4.6-p10
• At least two different domains

Steps to reproduce

1. Setup a multi-website installation
2. Website 1 at example.com
3. Website 2 at example.net
4. Admin page is working at example.com
5. Visit the catalog product edit page at example.com/admin
6. Switch to the second website store view from the store view switcher
7. Navigate to the product images.
8. The URL loaded is example.com/media/catalog/*****

Due to CORS the images are failing to load

Expected result

The images load fine for all domains that reside in the same installation

Actual result

The images are broken and multiple CORS related errors appear for img-src

Additional information

I tried in a module's csp_whitelist.xml to add the following

<policy id="img-src">
    <values>
        <value id="img_src_example_com" type="host">example.com</value>
        <value id="img_src_example_net" type="host">example.net</value>
        <value id="img_src_example_org" type="host">example.org</value>
        <value id="img_src_example_shop" type="host">example.shop</value>
        <value id="img_src_example_store" type="host">example.store</value>
        <value id="img_src_example_online" type="host">example.online</value>
    </values>
</policy>

And I got an error loading the website

https://example.com/admin_custom/catalog/product/edit/key/********/id/123456/store/1/ might have a temporary problem or it could have moved.

Error code: 500 Internal Server Error

The site could be temporarily unavailable or too busy. Try again in a few moments.

Release note

No response

Triage and priority

• [ ] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• [ ] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant[bot]]

Hi @ioweb-gr. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce.

• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this
• To learn more about issue processing workflow, refer to the Code Contributions.

---

Join Magento Community Engineering Slack and ask your questions in #github channel. :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting. :clock10: You can find the schedule on the Magento Community Calendar page. :telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[m2-assistant[bot]]

Hi @engcom-November. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue.
• [ ] 3. Add Area: XXXXX label to the ticket, indicating the functional areas it may be related to.
• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch
  Details

  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
• [ ] 5. Add label Issue: Confirmed once verification is complete.
• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-November]

Hello @ioweb-gr ,

Thank you for your report and collaboration.

We attempted to replicate the issue on our latest 2.4-develop instances, following the provided preconditions and reproduction steps. However, we were unable to reproduce the issue. Please find the attached screenshot for reference.

Steps Followed:

• Logged into the Magento Admin.
• Set up a multi-website installation:
• Website 1: example.com
• Website 2: example.net
• Confirmed that the Admin page is accessible at example.com.
• Navigated to the Catalog Product Edit page: example.com/admin.
• Switched to the second website's store view using the store view switcher.
• Accessed the product images section.

Despite following these steps, the issue did not occur on our end. Could you kindly recheck and let us know if there are any additional conditions or steps we might have missed?

For now, we are marking this issue as "Needs Update".

Thank you once again for your support!

[ioweb-gr]

@engcom-November could you verify for me if the URLs on the images are the same as the admin domain or if they are different in your test instance from the inspector?

[engcom-November]

Hello @ioweb-gr ,

I’ve verified the image URLs using the browser’s inspect tool, and both site images are loading correctly. This suggests that the issue might be related to a configuration setting at the second-level website.

Could you please review the configuration on your end?

For your reference, I’ve attached relevant screenshots. Let us know if you have any questions or need further clarification.

Thank You!

[engcom-November]

Hello @ioweb-gr ,

Follow up on the above comment .

Thank You!

[ioweb-gr]

I think I know what's different. The CSP status by default is set to Report-Only

In a fresh installation of 2.4.8-p1

I followed the below steps.

1. Set base domain to m2latest.yourstaging.eu
2. Create a new website / store / store_view called m2latestalt
3. Set only the base URLs under Stores->Configuration->General->Web On default scope

On m2latestalt website scope

4. Create a new product and save it with an image.
5. Assign the product to the m2latestalt website
6. Change the store switcher to m2latestalt scope

7. In the console.log I noticed that the CSP is set to Report-Only

That's why the image is still visible, although if the CSP is activated it will stop working.

This a clear 2.4.8-p1 installation with sample data, nothing else.

[engcom-November]

Hello @ioweb-gr ,

Thank you for the report and Collaboration.

We tried attempt this issue in latest 2.4 develop and 2.4.8-p1 both the instances, But the issue is not reproducible in 2.4 develop and issue is reproducible in 2.4.8-p1, Please find the attached screenshot for the reference.

Setup a multi-website installation

• Website 1 at example.com
• Website 2 at example.net
• Admin page is working at example.com
• Visit the catalog product edit page at example.com/admin
• Switch to the second website store view from the store view switcher
• Navigate to the product images.
• The URL loaded is example.com/media/catalog/*****

Note: Reproducible only in 2.4.8-p1

Thank You!

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-15014 is successfully created for this GitHub issue.

[m2-assistant[bot]]

:white_check_mark: Confirmed by @engcom-November. Thank you for verifying the issue.
Issue Available: @engcom-November, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.