Opened 10 months ago
Last modified 10 months ago
#7442 new defect (bug)
GitHub PR images not displayed
Reported by: | dd32 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | Trac | Keywords: | |
Cc: |
Description
As of a few weeks ago (at least) GitHub images in PRs are no longer being displayed on trac.
For example:
https://core.trac.wordpress.org/ticket/57600#comment:17
In that example, I've edited the first image listed from proxying via Jetpack Photon to using the image URL directly.
This appears to be that the GitHub API is blocking Jetpack Photon from re-publishing the images.
For example; https://i0.wp.com/github.com/WordPress/wordpress-develop/assets/519727/33fc163b-7526-4a7c-87c3-57e9214b8033 gives a 403 response.
Looking at the Photon source, https://code.trac.wordpress.org/browser/photon/index.php#L294 we can see that the specific 403 presented means the upstream returned a 403 too.
Why do we proxy images via Photon?
Photon is in front of GitHub primarily as it doesn't expose CORS headers. Why do we need CORS headers? Well, because we have <img crossorigin="anonymous" />
such that the embedded content isn't requested with credentials and doesn't attempt to display any external-url basic authentication prompts.
Realistically, we can probably remove the usage of Photon here, by removing the use of crossorigin=anonymous
for github.com, as we trust github not to present a HTTP Authorization request, and as the content is within an <img>
element there shouldn't be any possibility of malicious content within a GitHub attachment being able to be access the trac page DOM.
I'm not 100% positive on that though.
Trac does offer a safe list of URIs that should not get crossorigin=false attributes, we can possibly just add GitHub to that.
upstream refs: https://trac.edgewall.org/changeset/15894 + https://trac.edgewall.org/changeset/16025
In 13213: