[wp-meta] [Making WordPress.org] #7442: GitHub PR images not displayed

Making WordPress.org noreply at wordpress.org
Tue Feb 6 02:57:19 UTC 2024 

#7442: GitHub PR images not displayed
--------------------------+--------------------
 Reporter:  dd32          |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:
Component:  Trac          |   Keywords:
--------------------------+--------------------
 As of a few weeks ago (at least) GitHub images in PRs are no longer being
 displayed on trac.

 For example:
 https://core.trac.wordpress.org/ticket/57600#comment:17

 In that example, I've edited the first image listed from proxying via
 Jetpack Photon to using the image URL directly.

 This appears to be that the GitHub API is blocking Jetpack Photon from re-
 publishing the images.

 For example; https://i0.wp.com/github.com/WordPress/wordpress-
 develop/assets/519727/33fc163b-7526-4a7c-87c3-57e9214b8033 gives a 403
 response.

 Looking at the Photon source,
 https://code.trac.wordpress.org/browser/photon/index.php#L294 we can see
 that the  specific 403 presented means the upstream returned a 403 too.

 '''Why do we proxy images via Photon?'''

 Photon is in front of GitHub primarily as it doesn't expose CORS headers.
 Why do we need CORS headers? Well, because we have `<img
 crossorigin="anonymous" />` such that the embedded content isn't requested
 with credentials and doesn't attempt to display any external-url basic
 authentication prompts.

 Realistically, we can probably remove the usage of Photon here, by
 removing the use of `crossorigin=anonymous` for github.com, as we trust
 github not to present a HTTP Authorization request, and as the content is
 within an `<img>` element there shouldn't be any possibility of malicious
 content within a GitHub attachment being able to be access the trac page
 DOM.

 I'm not 100% positive on that though.

 Trac does offer a safe list of URIs that should not get crossorigin=false
 attributes, we can possibly just add GitHub to that.

 upstream refs: https://trac.edgewall.org/changeset/15894 +
 https://trac.edgewall.org/changeset/16025

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/7442>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list