From f8cf54c93ea682f2ac6438ac47dd64a2f3041161 Mon Sep 17 00:00:00 2001 From: Dylan Date: Sat, 11 Apr 2026 22:19:53 +1000 Subject: [PATCH] Fix rich text image display with S3-compatible storage Fix service worker CORS credentials to work with cross-origin Active Storage redirects to S3/R2/GCS/Azure. The turbo-offline service worker inherits credentials: include from the original request, which fails after the cross-origin redirect because S3-compatible stores cannot return Access-Control-Allow-Credentials: true. Using credentials: same-origin sends credentials to Rails for auth but strips them on the cross-origin redirect. Fix ActionText attachment URLs missing account prefix for multi-tenant routing. to_rich_text_attributes generates blob URLs without the account script_name prefix, so AccountSlug::Extractor cannot route them. Adding script_name: Current.account&.slug produces correct tenant-prefixed paths. Nil-safe when no account is set. --- app/views/pwa/service_worker.js.erb | 2 +- config/initializers/active_storage.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/views/pwa/service_worker.js.erb b/app/views/pwa/service_worker.js.erb index 41fac14463..c34257a341 100644 --- a/app/views/pwa/service_worker.js.erb +++ b/app/views/pwa/service_worker.js.erb @@ -43,7 +43,7 @@ TurboOffline.addRule({ networkTimeout: 2, maxEntrySize: 2 * 1024 * 1024, // 2MB covers about 95% of all Fizzy blobs maxEntries: 500, - fetchOptions: { mode: "cors" } + fetchOptions: { mode: "cors", credentials: "same-origin" } }) }) diff --git a/config/initializers/active_storage.rb b/config/initializers/active_storage.rb index 0062d69793..9c39766b4a 100644 --- a/config/initializers/active_storage.rb +++ b/config/initializers/active_storage.rb @@ -14,7 +14,7 @@ # Ensure all s have a "url" attribute that's a relative # path (for portability across host name changes, beta environments, etc). def to_rich_text_attributes(*) - super.merge url: Rails.application.routes.url_helpers.polymorphic_url(self, only_path: true) + super.merge url: Rails.application.routes.url_helpers.polymorphic_url(self, only_path: true, script_name: Current.account&.slug) end end end