Skip to content

fix(client): revert crossOrigin on Scryfall <img> tags (fixes card-art regression)#4352

Merged
matthewevans merged 1 commit into
mainfrom
fix/card-image-cors-revert
Jun 26, 2026
Merged

fix(client): revert crossOrigin on Scryfall <img> tags (fixes card-art regression)#4352
matthewevans merged 1 commit into
mainfrom
fix/card-image-cors-revert

Conversation

@matthewevans

Copy link
Copy Markdown
Member

Problem

Card art and mana symbols were falling back to plain text on the whole board (every card showed its name + oracle text instead of its image).

Root cause

PR #4343 added crossOrigin="anonymous" to the three Scryfall <img> components as prep for a future COEP: require-corp cross-origin-isolation switch (needed for a SharedArrayBuffer shared-memory card DB). That switch to CORS mode is what broke image rendering:

  • crossOrigin turns each <img> into a CORS request, which only renders if the response carries Access-Control-Allow-Origin.
  • Scryfall returns access-control-allow-origin: * only when an Origin header is sent, and — critically — its no-Origin responses carry no Vary: Origin.
  • Browser/Cloudflare caches were filled before chore(client): mark Scryfall <img> tags crossOrigin=anonymous (prep for COEP cross-origin isolation) #4343 from plain no-CORS requests, whose stored responses have no ACAO. The new CORS requests get served those poisoned cache entries, the CORS check fails, and the image errors into the text fallback.

A cold cache would have loaded fine — which is why this only began after #4343 shipped.

curl -sI                         cards.scryfall.io/... → 200, (no ACAO)
curl -sI -H 'Origin: ...preview' cards.scryfall.io/... → 200, access-control-allow-origin: *, vary: Origin

The app host (preview.phase-rs.dev) has no COEP/COOP header, so this is purely the per-<img> CORS-mode change.

Fix

Revert the crossOrigin attribute on CardImage, ArtCropCard, and ManaSymbol, restoring the no-CORS loading that worked before. This change has no remaining purpose — the COEP/SharedArrayBuffer shared-memory card DB it was prepping for was replaced by the game-scoped card-DB subset (#4348), so cross-origin isolation is no longer on the roadmap.

DeathShatter and AudioManager keep their own self-contained crossOrigin (canvas/audio taint needs); the index.html Scryfall preconnect crossorigin predates #4343 and is left intact.

Also included: mana symbols in the image-fallback text

While the image fallback exists, its oracle text rendered {T}/{W}/{1} as literal braces. It now routes through RichLabel (the same building block CardPreview uses), so the fallback shows real mana symbols. Low-visibility after the revert (images load again), but correct.

Verification

check-frontend (TypeScript + ESLint) green. Recommend a hard-reload / private-window check on the preview build to confirm art returns (a cold cache bypasses the poisoned entries).

…t regression)

PR #4343's crossOrigin=anonymous turned card art + mana symbols into CORS
requests; browser/CF caches filled pre-#4343 from no-CORS requests hold
ACAO-less responses, so the CORS check fails and every cached image falls back
to text. The COEP/SharedArrayBuffer shared-memory card DB this was prepping for
was replaced by the game-scoped subset (#4348), so crossOrigin has no remaining
purpose. DeathShatter/AudioManager keep their own crossOrigin.

Also render mana symbols ({T}/{W}/...) in the image-fallback oracle text via
RichLabel instead of literal braces.
@matthewevans matthewevans enabled auto-merge June 26, 2026 03:56

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request removes the crossOrigin="anonymous" attribute from image elements in ArtCropCard, CardImage, and ManaSymbol. It also updates CardImage to render the resolved oracle text using the RichLabel component instead of plain text. There are no review comments, so no feedback is provided.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@matthewevans matthewevans added this pull request to the merge queue Jun 26, 2026
Merged via the queue into main with commit 36a8f37 Jun 26, 2026
11 checks passed
@matthewevans matthewevans deleted the fix/card-image-cors-revert branch June 26, 2026 04:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant