Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CORS: Have Facebook enabled CORS for all of its pictures?

Tags:

html

cors

canvas

facebook-graph-api

I've read somewhere that Facebook have cross enabled for Profile Pictures. I'm not sure about albums and other stuff, but in fact Facebook is including the header Access-Control-Allow-Origin: * on every one of the URLs that I have tested to far.

I've tried the standard Profile picture URL 

https://graph.facebook.com/PROFILE_ID/picture?width=25&height=25

And well as Akamai urls: 

https://fbcdn-sphotos-h-a.akamaihd.net/hphotos-ak-ash3/...

(The latter are returned by https://graph.facebook.com/PROFILE_ID/photos)

My app is basically doing things such as:

var img = new Image;
img.src = "https://fbcdn-sphotos-h-a.akamaihd.net/hphotos-ak-ash3/...";
img.crossOrigin = "Anonymous";

img.onload = function() {
  ctx.drawImage(img, x, y);
}

// Above code will be repeated several times
// And mixed with code that manipulates ctx 

// Finally generetes data 
var generatedImage = canvas.toDataURL();
// And post if back to Facebook

Everything seems to be working fine with my code (tested on all major browsers), but there are a lot of users reporting intermittent bugs when uploading the canvas content back to Facebook. Unfortunately I couldn't yet get a tech savvy user to report something with a proper error description. Now I can't reproduce the problem (or even know what the problem is).

What I know so far is that by writing a server side proxy to serve Facebook images as if they were local the bugs apparently go away, so, it left me wondering, before I start digging into bizarre cross-browser issues, mysterious error messages such as OAuthException: An unknown error has occurred., tainted cavas, etc, I first have to go back to the basics:

Is CORS enabled for every single picture exposed through Graph API? (A link to the official documentation or a reliable source would be nice).

like image 893
Anthony Accioly Avatar asked Feb 12 '14 17:02

Anthony Accioly

1 Answers

Again answering my own question.

Apparently yes, CORS is enabled for every picture exposed through the Graph API. They are all being returned with Access-Control-Allow-Origin: *.

It seems like some browsers do not play well with crossorigin='anonymous' and CORS headers, so, for now, a proxy service is still the safe way to go.

like image 102
Anthony Accioly Avatar answered Nov 15 '22 21:11

Anthony Accioly
Sign in to Comment

Related questions

Are data URIs on <img>s XSS exploitable?
A table in a figure - use caption or figcaption?
html5 capture the screen [duplicate]
Google map circles are not round
Styling of "submit" buttons
Show or hide button text responsively in jQuery Mobile
jQuery - remove() not working
How to make a navigation which disappears while scrolling down but shows up by scrolling up? [closed]
Simple/Best way to load Web App as Windows Desktop Application?
Shrink image size to fit table cell, which works in all browsers?
How can I resize an image in an HTML generated word document whilst retaining the aspect ratio?
What are the limitations of HTML5 audio on Android and iOS?
change border width of Rect in fabricjs
change color of image to greyscale in html5
PHP closing tag deletes the line feed
Is it possible to use a DIV instead of an iFrame so that content looks like in the same page?
Capture video from several webcams with getUserMedia
How can I configure HAProxy to work with server sent events?
Forward request from servlet to jsp
How to take a screenshot of a web page by using Javascript

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!