CORS issue fetching avatars

Hi,

I’m facing CORS issues when trying to display an avatar in production, using an account thats not mine (I’m the app owner).


Access to image at 'https://secure.gravatar.com/avatar/671bc531020c1d98633c110c298c21cf?d=https%3A%2F%2Favatar-management--avatars.us-west-2.prod.public.atl-paas.net%2Finitials%2FG-3.png' from origin 'https://41b5ee78-05a0-49c2-a724-76056a850d9e.cdn.prod.atlassian-dev.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
671bc531020c1d98633c110c298c21cf:1 
        
      
        
        
      
        
      
       
       GET https://secure.gravatar.com/avatar/671bc531020c1d98633c110c298c21cf?d=https%3A%2F%2Favatar-management--avatars.us-west-2.prod.public.atl-paas.net%2Finitials%2FG-3.png net::ERR_FAILED 302
Image (async)
nt @ canvas.js:6
(anonymous) @ index.js:40
Promise.then (async)
(anonymous) @ index.js:20
41b5ee78-05a0-49c2-a…tlassian-dev.net/:1 
        
       Uncaught (in promise) failed to load https://secure.gravatar.com/avatar/671bc531020c1d98633c110c298c21cf?d=https%3A%2F%2Favatar-management--avatars.us-west-2.prod.public.atl-paas.net%2Finitials%2FG-3.png
Promise.then (async)
(anonymous) @ index.js:40
Promise.then (async)
(anonymous) @ index.js:20
async-profilecard.d1915b44de229ef95576.8.js:175 
        
      
        
        
      
        
      
       
        
       GET https://hackathongame.atlassian.net/gateway/api/watermelon/organization/containsAnyWorkspace?cloudId=8ff8454d-2b6a-4a9f-aeaf-d4da5d45b919 404
(anonymous) @ async-profilecard.d1915b44de229ef95576.8.js:175
createTcReadyPromise @ async-profilecard.d1915b44de229ef95576.8.js:175
c @ async-profilecard.d1915b44de229ef95576.8.js:175
(anonymous) @ async-profilecard.d1915b44de229ef95576.8.js:179
t.a @ async-profilecard.d1915b44de229ef95576.8.js:179
i @ async-profilecard.d1915b44de229ef95576.8.js:115
(anonymous) @ async-profilecard.d1915b44de229ef95576.8.js:115
l @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:33
(anonymous) @ async-profilecard.d1915b44de229ef95576.8.js:116
l @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:33
(anonymous) @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:34
triggerContainerAction @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:93
getDerivedStateFromProps @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:92
_i @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:188
Ri @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:190
Wa @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:207
Tu @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:249
Rl @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:238
wl @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:238
vl @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:235
cl @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:232
is @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:256
(anonymous) @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:257
yl @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:235
fs @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:257
n.render @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:260
Qij3 @ async-profilecard.d1915b44de229ef95576.8.js:118
r @ c9e25a56-1e07-4f22-8378-28eedc1ba9fd:182
Promise.then (async)
(anonymous) @ jira-spa.719c24021a2fed160d88.8.js:236
S @ jira-spa.719c24021a2fed160d88.8.js:236
installLowPriorityApps @ jira-spa.719c24021a2fed160d88.8.js:237
(anonymous) @ jira-spa.719c24021a2fed160d88.8.js:984
hu @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:224
Nl @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:245
e.unstable_runWithPriority @ vendor~31ecd969.4a89646cdd547cd78969.8.js:12
$o @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:184
Il @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:244
(anonymous) @ vendor~1f20a385.8d0774b25e749ece1e50.8.js:244
V @ vendor~31ecd969.4a89646cdd547cd78969.8.js:11
w.port1.onmessage @ vendor~31ecd969.4a89646cdd547cd78969.8.js:10

This is how my manifest looks:

  external:
    fetch:
      client:
        - '*.atlassian.com'
        - '*.atlassian.net'
        - '*.atl-paas.net'
        - '*.atlassian-dev.net'
        - '*.gravatar.com'

I made the change , did forge install --upgrade , re-accepted permissions but the error persists

What I’m missing?

Thanks

Found this in another topic but didn’t work:

    external:
        images:
            - '*.atlassian.com'
            - '*.atlassian.net'
            - '*.atl-paas.net'
            - '*.atlassian-dev.net'
            - '*.gravatar.com'
        fetch:
            client:
                - '*.atlassian.com'
                - '*.atlassian.net'
                - '*.atl-paas.net'
                - '*.atlassian-dev.net'
                - '*.gravatar.com'

Actually found the changes are not applying, after I authorize the app I see this:

The issue is when the user dont have an avatar and tries to redirect to gravatar to download the standard one.

Avatars not rendering correctly (edge case) - Missing img-src CSP entry on Atlassian side? - Forge / Forge Custom UI and UI kit (beta) - The Atlassian Developer Community

The changes in that post havent work for me yet but I’m getting closer

1 Like