spee.ch
spee.ch copied to clipboard
lbryio
Add support for CORS
For the meme creator on .tech, I was linking to images hosted on spee.ch. However, security issues prevented publishing. From MDN:
As soon as you draw into a canvas any data that was loaded from another origin without CORS approval, the canvas becomes tainted. A tainted canvas is one which is no longer considered secure, and any attempts to retrieve image data back from the canvas will cause an exception to be thrown.
CORS doesn't allow multiple allowed origins, so the options are:
- Send
Access-Control-Allow-Origin: *and accept security downsides - Check if referrer is from
[lbry.tech, lbry.io, lbry.fund, ???]and returnAccess-Control-Allow-Origin: <allowed_domain>.
@kauffj Just remembered this. It is not working as intended.
SecurityError: The operation is insecure.
This is only with linking images from spee.ch to the meme creator on the Playground. The spee.ch images linked on the community page on .tech work. Publishing with images not served from .tech itself creates the above error.
@NetOperatorWibby can you describe the steps to test this? Alternately, can you verify that it's a problem for all browsers or specific browsers?
@jessopb
- Check out lbry.tech locally
- Uncomment the lines in this section: https://github.com/lbryio/lbry.tech/blob/master/app/sockets.js#L196-L213
- Go to
/playgroundand visit the Publish example - Make sure you have your browser inspector open and the console tab is activated
- Hit "Submit"
This issue affects Firefox and Chrome. The issue persists in production as well.