We are using the API endpoint
/rest/api/content to get the
body.export_view of pages and display it. Today, in a regular test run, I found that all emojis were broken in our view - on EAP instances as well as production instances. Investigating this, I found the following:
- The images used are rendered differently in export view and the normal view - the normal view now uses a sprite map, the export and source views reference a normal PNG file.
- The PNG file is incorrectly served as
- This does not hurt when using the Advanced Details > View Source option, as the images are on the same domain.
- But if you view the export html served from another domain (our cloud app backend, for instance), Chrome triggers a CORB (“Cross-Origin Read Blocking (CORB) blocked cross-origin response …/wiki/s/1849554224/6452/1bfb216518b5b44e4949193824b9585fefbf8439/_/images/icons/emoticons/72/1f468-200d-1f692.png with MIME type text/html”)
- This seems to happen because of the dubious Content-Type.
I am rather surprised by this problem as everything was still working some days ago. However, this needs to be fixed and I am afraid that this is a bug in Confluence Cloud. And it might break many other security-conscious things in strange ways…
Suggested fix: please make the
AtlassianProxy serve files with correct Content Types,
image/png for example for PNG images, not just text/html everything.