search

observablehq / feedback

Customer submitted bugs and feature requests
42 stars 3 forks source link

CORS errors introduced when referring to file attachment after publishing; works in private mode #278

Open aaronkyle opened 3 years ago

aaronkyle commented 3 years ago

Describe the bug CORS errors introduced when referring to file attachment after publishing; works in private mode

To Reproduce Steps to reproduce the behavior:

  1. Go to 'https://observablehq.com/d/34e84160f736767b'
  2. Note red error message
  3. Click on 'Fork'
  4. Note modules loaded correctly

Expected behavior No errors on published notebook.

Additional context Thank you for this amazing platform!

mbostock commented 3 years ago

This is the expected behavior for cross-origin resources. You either need to tell your library to send the appropriate CORS headers, or load it a different way. For example:

attachment = await FileAttachment("_ags_map047653e68e4f4cd5bca2a0cbe9960279.tif").blob()
Agriculture_Mask_tiff = geotiff.fromBlob(attachment)

That said, there is a possible feature request here which is that file attachments should always be served same-origin, which would preempt any CORS problems. The downside of this is that the assets are less likely to be cached when they are shared across origins, but I believe it is already the case that browsers don’t allow cache sharing across origins these days.

aaronkyle commented 3 years ago

Thank you. To make sure that I understand this: the CORS issue isn't encountered on private notebooks because all requests are coming from the same origin. Once published, requests may come from different origins - and this change affects how the file attachment loads?

mbostock commented 3 years ago

Yep, exactly.