- Issue was unassigned.
- Status changed to RTBC
about 1 year ago 5:25pm 13 September 2023 - last update
about 1 year ago 4 pass - πΈπ°Slovakia kaszarobert
Well, we're using patch #4 in production for a big news corporation since last year and they never mentioned cropping issues while doing 50-100 new articles every day. So to stop stalling this issue for years I guess the maintainer should now decide if this feature will be included or not.
- Status changed to Needs work
17 days ago 11:56am 5 November 2024 - π³π±Netherlands eelkeblok Netherlands π³π±
What are the security implications? Why is this set to anonymous in the first place? "Works for me" is not really a ringing endorsement for a patch that has security implications :)
- πΈπ°Slovakia kaszarobert
According to the https://github.com/fengyuanchen/cropperjs#checkcrossorigin by default when the JS library is loaded, it clones the image element and makes an AJAX request for the image file to do some orientation metadata checking. And in case of native S3 URLs, it will mean sending AJAX request to a different domain, so that will not work because it's a cross-domain AJAX request with missing CORS headers in S3. And the documentation states that setting checkCrossOrigin to false means that it will not do this AJAX call.
The other solution would be trying to set up the Access-Control-Allow-Origin headers in Amazon S3/Google Cloud Storage (if possible) or proxying the file URLs in the S3 storage to use the same domain which the site runs on.