Conversation
…a background fetch
🤖 Augment PR SummarySummary: This PR improves export reliability by avoiding CORS-tainted canvases when rendering pages that contain cross-origin images. Changes:
Technical Notes: Background fetch omits credentials and checks 🤖 Was this summary useful? React with 👍 or 👎 |
![augmentcode[bot]](https://avatars.githubusercontent.com/in/1027498?s=60&v=4){kind=small}
| } else if ((msg as any).type === "fetch_image") { | ||
| // Fetch a cross-origin image from the background (privileged context) | ||
| // and return it as a data URL for export. | ||
| const imageUrl = msg.payload?.url; |
There was a problem hiding this comment.
Since this runs in a privileged background context, consider validating that imageUrl is an expected scheme (e.g. http(s) only) before attempting fetch, to avoid surprising behavior on unusual/invalid URL types.
Severity: low
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
| return; | ||
| } | ||
| const blob = await response.blob(); | ||
| const dataUrl = await blobToDataUrl(blob); |
There was a problem hiding this comment.
Converting an arbitrary image Blob to a base64 data URL can create very large strings; if the payload exceeds Chrome message size limits (or causes memory pressure), this path may fail and the caller will just see a null image with no clear cause.
Severity: medium
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
| // Avoid fetching ordinary same-origin images that simply haven't loaded | ||
| // yet. If the already-loaded image is still unsafe, fetch it regardless | ||
| // of origin to handle redirecting asset URLs. | ||
| if (!imageLoaded && url.origin === sourceOrigin) { |
There was a problem hiding this comment.
This early-return means same-origin images that haven’t loaded yet won’t be background-fetched, which can miss the “same-origin URL that redirects cross-origin at load time” case described above and still lead to a tainted canvas in some exports.
Severity: medium
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
1 participant
Summary
fetchImageViaBackgroundandconvertCrossOriginImageshelpers inexportUtils.tsthat run beforehtml2canvas, converting unsafe images to data URLs so the canvas is never tainted.fetch_imagemessage handler inbackground.ts(witharrayBufferToBase64/blobToDataUrlutilities) and registers the new message type inmodel.d.ts.0.5.4.