Function previews do not show images from foreign hostnames about c1-cms-foundation HOT 7 CLOSED

I did some testing, phantomjs has no problem rendering images from foreign hostnames, both http & https, the only exception from our packages, it that Instagram's cdn seem to regect https requests from our phantomjs, if that's the only domain we have an issue with, I suggest addressing it in the Instagram package by using http instead of https for image references.

from c1-cms-foundation.

The Instagram package might have been affected by the recent change in the Instagram API. Please see this issue: Orckestra/CMS-Packages#10

from c1-cms-foundation.

Not only Instargam package, also LinkedIn package has the same problems. For example try next example:

 <img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_myprofile_160x33.png" width="160" height="33" border="0" alt="View profile on LinkedIn" />

from c1-cms-foundation.

should be easy enough to fix by creating a simple local proxy handler and rewrite all img-sources to use that proxy when rendering through phantomjs

from c1-cms-foundation.

should be easy enough to fix by creating a simple local proxy handler

Wouldn't that mean extra requests, caching, cache invalidation issues and require extra work for external resources referenced via css for instance?

One line solid fix?
PhantomJs config variable webSecurityEnabled is the culprit here - it defaults to true and will block external URLs (in latest PhantomJs which we just updated to https will always be allowed). Setting it to false (and restarting c1) should close this issue.

Setting webSecurityEnabled to false (in ~/App_Data/Composite/PhantomJs/config.json) is not very well documented, except for this bit https://github.com/adobe/webkit/blob/044126629b2e175119722f58a0098220e0aa0b33/Source/WebCore/dom/Document.cpp#L4557 - as far as I can see it will enable loading external resources (regardless of protocol) and will also enable cross domain XHR. I cannot phantom any situation where this will be an issue, especially given the fact that what we are rendering is completely under dev control. If anyone can see us creating a new attack surface here, please share.

from c1-cms-foundation.

Wouldn't that mean extra requests, caching, cache invalidation issues and require extra work for external resources referenced via css for instance?

An extra request, yes, but for a local address which acts as a simple pass-through proxy so it wouldn't take any extra resources if done using an IHttpAsyncHandler

Instead of

• PhantomJs > https://static.licdn.com/scds/common/u/img/webpromo/btn_myprofile_160x33.png

you would do

• PhantomJs > {LocalUri}/Renderers/FunctionPreviewProxy.ashx?url=https://static.licdn.com/scds/common/u/img/webpromo/btn_myprofile_160x33.png > https://static.licdn.com/scds/common/u/img/webpromo/btn_myprofile_160x33.png

It was a simple suggestion on an issue that was several months old, and while it wouldn't fix all scenarios, like external images references in css documents, it would be better than nothing.

But surely, if there is a switch in PhantomJs which enables https requests, then that should simple be enabled.

from c1-cms-foundation.

Not only Instargam package, also LinkedIn package has the same problems...

Couldn't reproduce this issue (Tried on as early as 20151216.1)
Verified on 20160420.1

from c1-cms-foundation.