Content-Type for blob images #138
Comments
Are you noticing this problem on
I think this made sense when Sharp was resizing them, but since Sharp is optional we should double-check that this is only happening if Sharp has turned them into a PNG. |
|
Found the underlying bug I think you're describing. The broken images you were seeing was actually your browser being shown text and being told it was a PNG. 🤦♂️ Here's what the error looks like if your browser shows it as text: |
|
My bug description was kind of meandering and led to another different bug :D I meant - find an image someone has posted (not an avatar), right-click the image and open in a new tab. Example: this post This image (/blob/ url) http://localhost:3000/blob/%26%2F3M%2B9WPSPgyBwEVQqhz1UQLafThYi1F3j60PF5usJlI%3D.sha256 It works fine in an |
|
@cinnamon-bun Thanks for all the merges! ❤️ Does #143 resolve this? For me, that curl -v 'http://localhost:4515/blob/%26%2F3M%2B9WPSPgyBwEVQqhz1UQLafThYi1F3j60PF5usJlI%3D.sha256'
* Trying ::1:4515...
* TCP_NODELAY set
* connect to ::1 port 4515 failed: Connection refused
* Trying 127.0.0.1:4515...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 4515 (#0)
> GET /blob/%26%2F3M%2B9WPSPgyBwEVQqhz1UQLafThYi1F3j60PF5usJlI%3D.sha256 HTTP/1.1
> Host: localhost:4515
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Length: 197834
< Cache-Control: public,max-age=31536000,immutable
< Content-Disposition: inline; filename="3M+9WPSPgyBwEVQqhz1UQLafThYi1F3j60PF5usJlI=.sha256"
< Content-Security-Policy: default-src 'none'; img-src 'self'; form-action 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
< Feature-Policy: speaker 'self'
< Date: Tue, 04 Feb 2020 05:41:02 GMT
< Connection: keep-alive
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 16384)
* Closing connection 0 |
|
#143 didn't fix it. I'm seeing those same headers, yep. There's no Turns out the browsers act differently:
|
|
The reason I wanted to do this in the first place was to view an image at full size. It'd be nice if images were wrapped in an |
|
Hmm. If we don't have another option, I don't mind removing the nosniff protection. 🤷♂️ Gotta do what we gotta do. |
Problem: We use nosniff to keep the web browser from getting confused about what kinds of content we're serving in Oasis, but this causes problems for blob URLs that have arbitrary data. Solution: Remove nosniff on blob URLs to let the browser figure out what kind of content we're serving. Resolves fraction#138
Opening an image in a new tab doesn't work well - the browser renders it as text.
I guess we need to figure out the file type on the server and set the Content-Type header. At least for some common image and video types.
Prior work
This has already been done for SVG with #128
Images are normally served from
/blob/...hash.... There's another endpoint,/image/64/...hash.... Ifsharpis installed that resizes and crops images, otherwise it serves them raw. It always sets Content-Type topngno matter the original image type, but browsers seem to do ok even if the data is actually JPG.Security implications
???
The text was updated successfully, but these errors were encountered: