Page MenuHomePhabricator
Create Task
Maniphest T136207

MultimediaViewer failed to load images protected by img_auth.php
Open, LowPublic
Actions

Description

After install MultimediaViewer on a private wiki site, it failed to load images with the following error message:

There seems to be a technical issue. You can retry or report the issue if it persists. Error: could not load image from http://dev.example.com/wiki/img_auth.php/6/69/Denmark.png

And I could see failed to load resource error on Chrome console:

Failed to load resource: the server responded with a status of 403 (Forbidden)

Versions

  • MediaWiki 1.26.2
  • MultimediaViewer 0.3.0

Steps to reproduce

  • install MediaWiki as private wiki
  • set up img_auth.php by following manual Restrict access to uploaded files
  • install MultimediaViewer 0.3.0
  • visit a category with images
  • the media viewer could not load the image with the error message.

Browser Notes

  • In Firefox, media viewer is working fine.
  • In Chrome, media viewer failed to load the images.

References
MultimediaViewer discussion topic: Does MultimediaViewer work on private wiki

Related Objects

Event Timeline

Seanchen created this task.May 25 2016, 3:35 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 25 2016, 3:35 PM
Tgr added a comment.May 25 2016, 3:44 PM

Thanks for the report! As mentioned in the discussion, the problem is probably that we set cors="anonymous" on the image (so that we can use an AJAX request and get progress information, timing data etc) but that prevents cookies from being sent. MediaViewer should detect whether img_auth.php is used (there is no great way to do this so probably just add a config flag that users can set) and use full CORS (or maybe none at all) in that case.

Jdlrobson added projects: Reading-Infrastructure-Team-Old (Don't use), patch-welcome.May 25 2016, 5:15 PM
dr0ptp4kt triaged this task as Medium priority.Apr 18 2017, 3:18 PM
dr0ptp4kt moved this task from Backlog to Needs Analysis on the MediaViewer board.
NHarateh_WMF added a project: Product-Infrastructure-Team-Backlog-Deprecated.Apr 25 2017, 12:42 PM
NHarateh_WMF moved this task from Needs triage to Backlog on the Product-Infrastructure-Team-Backlog-Deprecated board.Apr 25 2017, 12:45 PM
Tgr removed projects: Product-Infrastructure-Team-Backlog-Deprecated, Reading-Infrastructure-Team-Old (Don't use).May 2 2017, 2:48 PM
MBinder_WMF added a project: Multimedia.Aug 7 2017, 5:39 PM
Dan.mulholland subscribed.May 28 2018, 7:57 PM

I confirm that the solution of @Tgr works still with Mediawiki 1.31-rc0:

L104-L106 of mmv.Provider.js needs to change from:

if ( cors && this.needsCrossOrigin() ) {
        img.crossOrigin = 'anonymous';
}

to

if ( cors && this.needsCrossOrigin() ) {
        img.crossOrigin = 'use-credentials';
}

Now that MultimediaViewer is going to be bundled by default it seems important to this work out of the box.

IMHO we in need of a $wgPrivateWiki = true; or similar variable so we can start fixing up the compatibility problems with private wikis. I think the technical debt here is growing on a number of extensions. As part of the "better wiki out of the box project" this would seem like a key win for a number of end-users (office-wiki application).

Tgr added a comment.May 28 2018, 8:29 PM

By default, it should probably go in the other direction (T64469: MultimediaViewer should work (or at least fail more gracefully) on wikis where the images have no CORS headers), but yeah, a $wgPrivateWiki (or just User::isEveryoneAllowed( 'read' )) would make sense.

Tgr unsubscribed.Jul 9 2019, 6:02 PM
JeffreyWang subscribed.Apr 27 2021, 8:22 PM

This remains an issue today. Is there any progress made on this?

Aklapper added a comment.May 3 2021, 6:19 PM

No progress, otherwise progress would be listed here. In general, MultimediaViewer does not receive much development these days.

Aklapper moved this task from Needs Analysis to Backlog on the MediaViewer board.Mar 16 2022, 11:34 AM
Anthelior subscribed.EditedDec 13 2022, 5:39 PM

As of today, I think this issue still persists. I got same error when I tried to view an image in Multimedia Viewer.

Edit: I've just discovered that it might be related to CORS. When I first load the page that image located there is no errors in console, but when I click image to view it in MM Viewer, it shows:

Ensure CORS response header values are valid

I'm using $wgForeignFileRepos to share images with my secondary wiki in my wiki family. Even after settings up $wgCrossSiteAJAXdomains, this error shows up.

TheDJ subscribed.Dec 14 2022, 11:01 AM

See also: T136207#4237310

Jdlrobson lowered the priority of this task from Medium to Low.May 14 2024, 3:58 PM
TheDJ mentioned this in T191726: Problems with MultimediaViewer in Firefox after activating https.May 15 2024, 10:07 PM
TheDJ added a comment.May 22 2024, 12:03 PM

What if... we check wgUploadPath and see if it contains img_auth.php, then forward the outcome as "wgMMVRequiresCredentials' in the config ?

TheDJ added a project: User-TheDJ.May 22 2024, 12:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits