Netlify Large Media blocking localhost via CORS

bobeartow · January 25, 2020, 2:05am

Hey all, over the last day or so, Netlify Large Media started blocking my localhost via CORS policy when trying to view a page in the Netlify CMS admin. Getting this error:

Access to fetch at 'https://mixmax.com/.netlify/large-media/origin/xxxxx?nf_resize=fit&w=560&h=320' 
from origin 'http://localhost:8084' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' 
header is present on the requested resource. If an opaque response serves your needs, set the 
request's mode to 'no-cors' to fetch the resource with CORS disabled.

Obviously the ID after origin/ are different than above, but wanted to leave that out in case of security issues. I haven’t changed any headers in my site over the last few months. I do have dependabot auto-merging patch updates of packages, but major version changes DO NOT get auto-merged and no major version changes have been merged recently (over the last few weeks).

I’ve been searching all day for a solution, but can’t seem to come to one. One thing that has changed in the last day is we stopped a split-test we’d been running for the past few months and are now back on our master branch only.

Any help would be much appreciated!

fool · January 27, 2020, 2:57am

I’d think you’d need to use https to contact our service, even while running locally, methinks, to get past this. Does that help?

bobeartow · January 27, 2020, 6:09pm

Hmm I’ve been using localhost successfully for the past couple months after installing Netlify Large Media, did something change recently that I need to be on HTTPS?

tomrutgers · January 27, 2020, 8:30pm

NLM works just fine on my http localhost, I don’t think there’s any cause for concern.

erez · January 27, 2020, 10:30pm

Hi @bobeartow, can you share the network traffic for that request and possibly the pre-flight OPTIONS request.
Running curl -XOPTIONS -i -H "Origin: http://localhost:8084" -H "Authorization: Bearer notoken" https://mixmax.com/.netlify/large-media returns:

HTTP/2 401 
access-control-allow-credentials: true
access-control-allow-origin: *
alt-svc: clear
content-length: 82
content-type: application/json
date: Mon, 27 Jan 2020 22:21:36 GMT
via: 1.1 google
age: 0
server: Netlify
vary: Origin
x-nf-request-id: 6cc3015f-206f-4ce1-9b7f-c874dcf1f359-9229552

With a * as the cors header.

bobeartow · January 27, 2020, 11:35pm

Hey @erez, so this is what I get back from that CURL

HTTP/2 401 
access-control-allow-credentials: true
access-control-allow-origin: *
alt-svc: clear
content-length: 82
content-type: application/json
date: Mon, 27 Jan 2020 23:32:02 GMT
via: 1.1 google
age: 1
server: Netlify
vary: Origin
x-nf-request-id: 245eff8c-8901-4588-9430-6f2d6dcea72f-9906357

{"code":401,"msg":"This endpoint requires to be called via Netlify addon's proxy"}%

Let me know if thats what you’re looking for.

erez · January 28, 2020, 12:16am

Hi @bobeartow, sorry for not being clear enough. I was referring to the browser traffic visible under the network tab when you open the Developer Tools. When you refresh the page you should see some requests go out to https://mixmax.com/.netlify/large-media, specifically OPTIONS requests which the browser uses to get the CORS headers from the server.

bobeartow · January 28, 2020, 6:14pm

No worries, thanks for the clarification.

It actually looks like everything is back in working order somehow. Not sure if there was an outage last Friday, or if it had to do with something else on our end, but everything seems to be working properly. I’ll keep dinging on what might have changed on our end, and report back if I hear anything.

Thanks for all the assistance thus far!