Making WordPress.org

Opened 10 months ago

Last modified 10 months ago

#7442 new defect (bug)

GitHub PR images not displayed

Reported by: dd32's profile dd32 Owned by:
Milestone: Priority: normal
Component: Trac Keywords:
Cc:

Description

As of a few weeks ago (at least) GitHub images in PRs are no longer being displayed on trac.

For example:
https://core.trac.wordpress.org/ticket/57600#comment:17

In that example, I've edited the first image listed from proxying via Jetpack Photon to using the image URL directly.

This appears to be that the GitHub API is blocking Jetpack Photon from re-publishing the images.

For example; https://i0.wp.com/github.com/WordPress/wordpress-develop/assets/519727/33fc163b-7526-4a7c-87c3-57e9214b8033 gives a 403 response.

Looking at the Photon source, https://code.trac.wordpress.org/browser/photon/index.php#L294 we can see that the specific 403 presented means the upstream returned a 403 too.

Why do we proxy images via Photon?

Photon is in front of GitHub primarily as it doesn't expose CORS headers. Why do we need CORS headers? Well, because we have <img crossorigin="anonymous" /> such that the embedded content isn't requested with credentials and doesn't attempt to display any external-url basic authentication prompts.

Realistically, we can probably remove the usage of Photon here, by removing the use of crossorigin=anonymous for github.com, as we trust github not to present a HTTP Authorization request, and as the content is within an <img> element there shouldn't be any possibility of malicious content within a GitHub attachment being able to be access the trac page DOM.

I'm not 100% positive on that though.

Trac does offer a safe list of URIs that should not get crossorigin=false attributes, we can possibly just add GitHub to that.

upstream refs: https://trac.edgewall.org/changeset/15894 + https://trac.edgewall.org/changeset/16025

Change History (1)

#1 @dd32
10 months ago

In 13213:

Trac: Github PRs: Load GitHub embedded images directly, avoiding CORS.

See #7442.

Note: See TracTickets for help on using tickets.