-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Vega] Allow image loading without CORS policy by changing the default to crossOrigin=null #91991
Conversation
return originalSanitize(uri, options); | ||
const result = await originalSanitize(uri, options); | ||
// This will allow Vega users to load images from any domain. | ||
result.crossOrigin = null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wylieconlon I'm not a big fan of this kind of changes. Could you please help me to reproduce that issue locally. I've modified hosts
file, set vis_type_vega.enableExternalUrls: true
and use the following vega spec with image from external resource.
Vega spec:
{
$schema: https://vega.github.io/schema/vega/v5.json
marks: [
{
"type": "image",
"encode": {
"enter": {
"url": {
"value": "https://cdn.glitch.com/4c9ebeb9-8b9a-4adc-ad0a-238d9ae00bb5%2Fmdn_logo-only_color.svg?1535749917189"
}
}
}
}
]
}
Image loaded without any warnings/errors in console
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@alexwizp the image that you're found allows all CORS requests, so it is not a good example of the type of image that causes this behavior. Most CDNs automatically allows CORS requests for images, so maybe the best place to find this kind of image is a non-CDN source. Maybe setting up a local HTTP server on a different port would be a better example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested this in Firefox by setting up a local image server using python -m SimpleHTTPServer
in my screenshots directory, and was able to compare the existing behavior to this PR. This PR fixes the loading behavior when CORS headers are not set on images.
@elasticmachine merge upstream |
Pinging @elastic/kibana-app (Team:KibanaApp) |
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @VladLasitsa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code review only, LGTM
@elasticmachine run elasticsearch-ci/docs |
…t to crossOrigin=null (elastic#91991) * changing the default to crossOrigin=null in Vega * Fix eslint Co-authored-by: Kibana Machine <[email protected]>
…bana into task-manager/docs-monitoring * 'task-manager/docs-monitoring' of github.com:gmmorris/kibana: (40 commits) [Security Solution][Case][Bug] Improve case logging (elastic#91924) [Alerts][Doc] Added README documentation for alerts plugin status and framework health checks configuration options. (elastic#92761) Add warning for EQL and Threshold rules if exception list contains value list items (elastic#92914) [Security Solution][Case] Fix subcases bugs on detections and case view (elastic#91836) [APM] Always allow access to Profiling via URL (elastic#92889) [Vega] Allow image loading without CORS policy by changing the default to crossOrigin=null (elastic#91991) skip flaky suite (elastic#92114) [APM] Fix for default fields in correlations view (elastic#91868) (elastic#92090) chore(NA): bump bazelisk to v1.7.5 (elastic#92905) [Maps] fix selecting EMS basemap does not populate input (elastic#92711) API docs (elastic#92827) [kbn/test] add import/export support to KbnClient (elastic#92526) Test fix management scripted field filter functional test and unskip it (elastic#92756) [App Search] Create Curation view/functionality (elastic#92560) [Reporting/Discover] include the document's entire set of fields (elastic#92730) [Fleet] Add new index to fleet for artifacts being served out of fleet-server (elastic#92860) [Alerts][Doc] Added README documentation for API key invalidation configuration options. (elastic#92757) [Discover][docs] Add search for relevance (elastic#90611) [Alerts][Docs] Extended README.md and the user docs with the licensing information. (elastic#92564) [7.12][Telemetry] Security telemetry allowlist fix. (elastic#92850) ...
…t to crossOrigin=null (#91991) (#92956) * changing the default to crossOrigin=null in Vega * Fix eslint Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
Closes: #83978
Summary
Add crossOrigin=null to sanitaze method so that allow Vega users to load images from any domain.