Page MenuHomePhabricator

MultimediaViewer failed to load images protected by img_auth.php
Open, MediumPublic

Description

After install MultimediaViewer on a private wiki site, it failed to load images with the following error message:

There seems to be a technical issue. You can retry or report the issue if it persists. Error: could not load image from http://dev.example.com/wiki/img_auth.php/6/69/Denmark.png

And I could see failed to load resource error on Chrome console:

Failed to load resource: the server responded with a status of 403 (Forbidden)

Versions

  • MediaWiki 1.26.2
  • MultimediaViewer 0.3.0

Steps to reproduce

  • install MediaWiki as private wiki
  • set up img_auth.php by following manual Restrict access to uploaded files
  • install MultimediaViewer 0.3.0
  • visit a category with images
  • the media viewer could not load the image with the error message.

Browser Notes

  • In Firefox, media viewer is working fine.
  • In Chrome, media viewer failed to load the images.

References
MultimediaViewer discussion topic: Does MultimediaViewer work on private wiki

Event Timeline

Thanks for the report! As mentioned in the discussion, the problem is probably that we set cors="anonymous" on the image (so that we can use an AJAX request and get progress information, timing data etc) but that prevents cookies from being sent. MediaViewer should detect whether img_auth.php is used (there is no great way to do this so probably just add a config flag that users can set) and use full CORS (or maybe none at all) in that case.

dr0ptp4kt triaged this task as Medium priority.Apr 18 2017, 3:18 PM
dr0ptp4kt moved this task from Backlog to Needs Analysis on the MediaViewer board.

I confirm that the solution of @Tgr works still with Mediawiki 1.31-rc0:

L104-L106 of mmv.Provider.js needs to change from:

if ( cors && this.needsCrossOrigin() ) {
        img.crossOrigin = 'anonymous';
}

to

if ( cors && this.needsCrossOrigin() ) {
        img.crossOrigin = 'use-credentials';
}

Now that MultimediaViewer is going to be bundled by default it seems important to this work out of the box.

IMHO we in need of a $wgPrivateWiki = true; or similar variable so we can start fixing up the compatibility problems with private wikis. I think the technical debt here is growing on a number of extensions. As part of the "better wiki out of the box project" this would seem like a key win for a number of end-users (office-wiki application).

By default, it should probably go in the other direction (T64469: MultimediaViewer should work (or at least fail more gracefully) on wikis where the images have no CORS headers), but yeah, a $wgPrivateWiki (or just User::isEveryoneAllowed( 'read' )) would make sense.

This remains an issue today. Is there any progress made on this?

No progress, otherwise progress would be listed here. In general, MultimediaViewer does not receive much development these days.