CORS issue when loading images via Asset Portal lightbox (S3 + CloudFront)

[thomasender]

I’m experiencing a CORS error when opening images in the Pimcore Asset Portal lightbox, even though the same images load fine on the asset detail page.

Setup:
• Pimcore Asset Portal frontend served from
• Assets stored in S3 bucket
• CloudFront distribution in front of S3.
• S3 bucket CORS configuration allows and supports GET/HEAD for images.
• CloudFront behavior for /thumbnails/* path uses:
• Origin: S3 bucket
• Cache policy: Managed-CachingOptimized
• Origin request policy: Managed-CORS-S3Origin (forwards Origin header to S3)

Observed behavior:
• Image URLs for the detail page (element-detail thumbnails) load successfully in the browser.
• Image URLs for the lightbox (lightbox thumbnails) fail with a CORS error in the browser console.
• Example failing request headers include Origin: and sec-fetch-mode: cors.
• Inspecting the response headers from CloudFront shows no Access-Control-Allow-Origin.

Troubleshooting steps attempted:
1. Confirmed S3 bucket CORS configuration includes the correct origin.
2. Invalidated CloudFront cache for /thumbnails/* (yes i did wait for over a day to make sure the caches are cleared)
3. Confirmed CloudFront behavior uses the CORS-S3Origin policy.
4. Verified requests and responses via curl with and without Origin header.

Notes / Suspicion:
• It seems CloudFront may not be forwarding the Origin header to S3 for the lightbox thumbnail requests, or caching may still be returning responses without CORS headers.
• Browser allows normal loads (detail page thumbnails) but blocks JS/XHR fetches (lightbox), which explains the difference.

Request:
Any guidance on why lightbox images specifically would fail CORS even with proper S3 CORS config and CORS-S3Origin origin request policy? Could this be a Pimcore Asset Portal lightbox behavior issue, or a CloudFront/S3 interaction problem?

[kingjia90]

Fixed by https://github.com/pimcore/portal-engine/pull/783 (4.2.13)