search

discord / discord-api-docs

Official Discord API Documentation
https://discord.com/developers/docs/intro
Other
5.95k stars 1.26k forks source link

CDN `Access-Control-Allow-Origin` header and CORS #6047

Closed arHSM closed 1 year ago

arHSM commented 1 year ago

Description

The CDN (https://cdn.discordapp.com) returns an Access-Control-Allow-Origin header. This header has the value of the origin domain from which the file was uploaded.

The official discord client uses the media proxy (https://media.discordapp.net) for images and videos, which returns a wildcard for said header. As for other files the client uses the CDN directly.

If my bot sends a message from the endpoint https://discord.com/api/v10/channels/{channel.id}/messages with an attachment, and I try to view the file from https://canary.discord.com/channels/{guild.id}/{channel.id} The file wouldn't be previewed and the request would fail due to a CORS error.

Steps to Reproduce

Expected Behavior

Users are able to preview file regardless of the subdomain they are on

Current Behavior

Users can only preview non image, video files from the subdomain they were uploaded from

Screenshots/Videos

Canary

image

The text file being requested from the CDN returning the said header image

The image being requested from the media proxy, with a wildcard as the value for the said header image

PTB

image

Failure due to CORS, as access-control-allow-origin is https://canary.discord.com image

Client and System Information

Browser: Chrome Library: - (official client) Client: Canary & PTB OS: Linux (EndeavorOS) OS Version: (rolling release)

devsnek commented 1 year ago

Are you able to provide any more details? We have not been able to reproduce this.

arHSM commented 1 year ago

The issue only occurs when the file is fetched by the client directly from the CDN and not from the media proxy. Try sending a text file from ptb.discord.com and then view it on discord.com, you wont be able to see the preview of the file as the request is failing due to CORS

The media proxy uses a wildcard for Access-Control-Allow-Origin, the CDN uses the host as the value from which the file was uploaded.cdn

devsnek commented 1 year ago

Unfortunately I'm not seeing this. Is it possible you are using a proxy or similar which may be doing additional caching?

arHSM commented 1 year ago

I am not using a proxy, but toggling Disable Cache in my browser's dev tools has seemingly fixed the issue, sorry for the trouble.