search

solana-labs / solana

Web-Scale Blockchain for fast, secure, scalable, decentralized apps and marketplaces.
https://solanalabs.com
Apache License 2.0
13.05k stars 4.21k forks source link

Solana Block Explorer fails to load metaplex metadata #26321

Closed bji closed 2 years ago

bji commented 2 years ago

Problem

I have published metaplex metadata for a token mint and the Solana Explorere cannot load it - the web browser reports a CORS error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.shinobi-systems.com/devnet_mystery_metadata.json. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

However, if I check the server headers, the server does support this header:

$ wget -S --header="Origin: explorer.solana.com" -O- "https://www.shinobi-systems.com/devnet_mystery_metadata.json" > /dev/null
--2022-06-29 12:41:01--  https://www.shinobi-systems.com/devnet_mystery_metadata.json
Resolving www.shinobi-systems.com (www.shinobi-systems.com)... 13.227.74.33, 13.227.74.42, 13.227.74.45, ...
Connecting to www.shinobi-systems.com (www.shinobi-systems.com)|13.227.74.33|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Content-Type: application/json
  Content-Length: 595
  Connection: keep-alive
  Date: Wed, 29 Jun 2022 03:01:09 GMT
  Access-Control-Allow-Origin: *
  Access-Control-Allow-Methods: HEAD, GET
  Access-Control-Expose-Headers: ETag, x-amz-meta-custom-header
  Last-Modified: Tue, 07 Jun 2022 16:51:58 GMT
  ETag: "2a71aa692bd02dfc5443e82af22b760e"
  Server: AmazonS3
  X-Cache: Hit from cloudfront
  Via: 1.1 34d694cee116d42560f77448eb932ac8.cloudfront.net (CloudFront)
  X-Amz-Cf-Pop: SFO20-C1
  X-Amz-Cf-Id: 9q709piX3Wy1gTJZy6eqtKB2rCz03B7uU4xIuK5J25AoUY5_xQQQ9Q==
  Age: 59994

solscan.io has no problems loading the metadata.

Here's the explorer link showing this problem:

https://explorer.solana.com/address/BMmK72ZrjxWsm3x3CRMXP51rjucNEmRppoxX2B5VejGe?cluster=devnet&display=detail

Here's the solscan.io link showing that it is able to load the metadata without problems:

https://solscan.io/token/BMmK72ZrjxWsm3x3CRMXP51rjucNEmRppoxX2B5VejGe?cluster=devnet

(Note that the proper image to show for this metadata is "three question marks", which solscan shows because it loaded the external metadata json file properly; but explorer does not show this image because it failed to load the file)

I believe that it might be the case that the Solana explorer is using "CORS preflight" requests? These don't work well with Amazon S3:

$ curl -i -X OPTIONS -H "Origin: explorer.solana.com" https://www.shinobi-systems.com/devnet_mystery_metadata.json
HTTP/2 403 
content-type: text/html; charset=utf-8
content-length: 578
date: Wed, 29 Jun 2022 19:43:42 GMT
server: AmazonS3
x-cache: Error from cloudfront
via: 1.1 7581b66819bfc73b585e8930fb9ac792.cloudfront.net (CloudFront)
x-amz-cf-pop: SFO20-C1
x-amz-cf-id: DUUOslVHdcvLuZDveTKEGvej0iEMpIVEHxtAmU8TLCpn-fQj7yJInA==

<html>
<head><title>403 Forbidden</title></head>
<body>
<h1>403 Forbidden</h1>
<ul>
<li>Code: AccessForbidden</li>
<li>Message: CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Request-Headers are not whitelisted by the resource&#39;s CORS spec.</li>
<li>Method: OPTIONS</li>
<li>ResourceType: OBJECT</li>
<li>RequestId: VN2PTP2XC962CRFN</li>
<li>HostId: pJkkf8e0l6VVv3oYf0J/tjXf0MDkM9KyoCO6Uvx2RGNDyYZW0EuKg0Air/4WkfOYWvXY2ZPndhY=</li>
</ul>
<hr/>
</body>
</html>

Honestly CORS is a freaking disaster in general and I think that doing whatever is necessary to minimize its impact would be best.

Proposed Solution

Disable use of "CORS preflight" requests in the Solana explorer javascript code, if that's what's causing the problem.

bji commented 2 years ago

Maybe the best solution would be to not send an Origin header at all in the request for the metadata URI if possible.

askibin commented 2 years ago

I can see the picture in the explorer and it looks like it is being loaded from the explorer's backend. may be it just needed some time to get it uploaded?

bji commented 2 years ago

I can see the picture in the explorer and it looks like it is being loaded from the explorer's backend. may be it just needed some time to get it uploaded?

Yes it has fixed itself, thank you!

My assumption is that the explorer is caching these images, and that its original fetch of the image came at a time when I didn't have CORS enabled on the S3 static website bucket that is serving the file, and so that fetch failed, which caused the explorer to cache a "default image" instead. But then that expired from the cache and now subsequent re-caching is succeeding now that I've fixed my CORS failure.

Thank you!