Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Vega] Allow image loading without CORS policy by changing the default to crossOrigin=null #91991

Merged
merged 4 commits into from
Feb 26, 2021
Merged

[Vega] Allow image loading without CORS policy by changing the default to crossOrigin=null #91991

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0062f4c
changing the default to crossOrigin=null in Vega
VladLasitsa Feb 19, 2021
5019dd2
Fix eslint
VladLasitsa Feb 19, 2021
9a28f35
Merge branch 'master' into 83978
kibanamachine Feb 22, 2021
9226797
Merge branch 'master' into 83978
kibanamachine Feb 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions src/plugins/vis_type_vega/public/vega_view/vega_base_view.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ export class VegaBaseView {
// Override URL sanitizer to prevent external data loading (if disabled)
const vegaLoader = loader();
const originalSanitize = vegaLoader.sanitize.bind(vegaLoader);
vegaLoader.sanitize = (uri, options) => {
vegaLoader.sanitize = async (uri, options) => {
if (uri.bypassToken === bypassToken) {
// If uri has a bypass token, the uri was encoded by bypassExternalUrlCheck() above.
// because user can only supply pure JSON data structure.
Expand All @@ -189,7 +189,11 @@ export class VegaBaseView {
})
);
}
return originalSanitize(uri, options);
const result = await originalSanitize(uri, options);
// This will allow Vega users to load images from any domain.
result.crossOrigin = null;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wylieconlon I'm not a big fan of this kind of changes. Could you please help me to reproduce that issue locally. I've modified hosts file, set vis_type_vega.enableExternalUrls: true and use the following vega spec with image from external resource.

Vega spec:

{
  $schema: https://vega.github.io/schema/vega/v5.json
  marks: [
  {
      "type": "image",
      "encode": {
        "enter": {
          "url": {
            "value": "https://cdn.glitch.com/4c9ebeb9-8b9a-4adc-ad0a-238d9ae00bb5%2Fmdn_logo-only_color.svg?1535749917189"
          }
        }
      }
    }
  
  ]
}

Result:
image

Image loaded without any warnings/errors in console

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexwizp the image that you're found allows all CORS requests, so it is not a good example of the type of image that causes this behavior. Most CDNs automatically allows CORS requests for images, so maybe the best place to find this kind of image is a non-CDN source. Maybe setting up a local HTTP server on a different port would be a better example.


return result;
};
config.loader = vegaLoader;

Expand Down