[Images] Updated docs for allowed origins #19795
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,66 @@ | ||||||
| --- | ||||||
| pcx_content_type: how-to | ||||||
| title: Define source origin | ||||||
| sidebar: | ||||||
| order: 2 | ||||||
| --- | ||||||
|
|
||||||
| When optimizing remote images, you can specify which origins can be used as the source for transformed images. By default, Cloudflare accepts only source images from the zone where your transformations are served. | ||||||
|
|
||||||
| You will learn how to define and manage the origins for the source images that you want to optimize. | ||||||
|
Contributor
There was a problem hiding this comment. I feel like...
It's a bit confusing to run into here. Cause you introduced this idea at the first sentence already. |
||||||
|
|
||||||
| :::note | ||||||
| This setting applies to requests from Cloudflare Workers. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
What is 'this setting'? |
||||||
|
|
||||||
| If you use a Worker to optimize remote images via a `fetch()` subrequest, then this setting may conflict with existing logic that handles source images. | ||||||
| ::: | ||||||
|
|
||||||
| ## How it works | ||||||
|
|
||||||
| In the Cloudflare dashboard, go to **Images** > **Transformations** and select the zone where you want to serve transformations. | ||||||
|
|
||||||
| To get started, you must have [transformations enabled on your zone](/images/get-started/#enable-transformations). | ||||||
|
|
||||||
| In **Sources**, you can configure the origins for transformations on your zone. | ||||||
|
|
||||||
|  | ||||||
|
|
||||||
| ## Allow source images only from allowed origins | ||||||
|
|
||||||
| You can restrict source images to **allowed origins**, which applies transformations only to source images from a defined list. | ||||||
|
|
||||||
| By default, your accepted sources are set to **allowed origins**. Cloudflare will always allow source images from the same zone where your transformations are served. | ||||||
|
|
||||||
| If you request a transformation with a source image from outside your **allowed origins**, then the image will be rejected. For example, if you serve transformations on your zone `a.com` and do not define any additional origins, then `a.com/image.png` can be used as a source image, but b.com/image.png will return an error. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| To define a new origin: | ||||||
|
|
||||||
| 1. From **Sources**, select **Add origin**. | ||||||
| 2. Under **Domain**, specify the domain for the source image. Only valid web URLs will be accepted. | ||||||
|
|
||||||
|  | ||||||
|
|
||||||
| When you add a root domain, subdomains are not accepted. In other words, if you add `b.com`, then source images from media.b.com will be rejected. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| To support individual subdomains, you can define an additional origin such as `media.b.com`. If you add only `media.b.com` and not the root domain, then source images from the root domain (`b.com`) and other subdomains (`cdn.b.com`) will be rejected. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| To support all subdomains, you can use the `*` wildcard at the beginning of the root domain. For example, `*.b.com` will accept source images from the root domain (like `b.com/image.png`) as well as from subdomains (like `media.b.com/image.png` or `cdn.b.com/image.png`). | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| 3. Optionally, specify the **Path** for the source image. If no path is specified, then source images from all paths on this domain are accepted. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| Cloudflare checks whether the defined path is at the beginning of the source path. If the defined path is not present at the beginning of the path, then the source image will be rejected. | ||||||
|
|
||||||
| For example, if you define an origin with domain `b.com` and path `/themes`, then `b.com/themes/image.png` will be accepted but `b.com/media/themes/image.pn`g will be rejected. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| 4. Select **Add**. Your origin will now appear in your list of allowed origins. | ||||||
| 5. Select **Save**. These changes will take effect immediately. | ||||||
|
|
||||||
| When you configure **allowed origins**, only the initial URL of the source image is checked. Any redirects, including URLs that leave your zone, will be followed, and the resulting image will be transformed. | ||||||
|
|
||||||
| If you change your accepted sources to **any origin**, then your list of sources will be cleared and reset to default. | ||||||
|
|
||||||
| ## Allow source images from any origin | ||||||
|
|
||||||
| When your accepted sources are set to **any origin**, any publicly available image can be used as the source image for transformations on this zone. | ||||||
|
|
||||||
| This setting is less secure and may allow third parties to serve transformations on your zone. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's good to define exactly what our "this" statements are. Are they enabling the automatic caching or the image transformation? I assume it is the transformation so I offered this suggestion.