From b3c61134fcb64150bdd164d1b75e81d8d4c4f43d Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Tue, 26 May 2026 16:03:26 +0000
Subject: [PATCH] fix(filmstrip): remove crossOrigin=anonymous from probe video
 element
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The /video endpoint requires session auth (requireAuth middleware).
crossOrigin='anonymous' strips cookies from the request → 401 → video
never loads → 15s timeout → filmstrip stays empty for all clips.

Same-origin video does not need crossOrigin for canvas drawImage — the
taint restriction only applies to cross-origin resources.
---
 services/web-ui/public/screens-asset.jsx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/services/web-ui/public/screens-asset.jsx b/services/web-ui/public/screens-asset.jsx
index 61b2f8d..833dfd7 100644
--- a/services/web-ui/public/screens-asset.jsx
+++ b/services/web-ui/public/screens-asset.jsx
@@ -90,7 +90,10 @@ function AssetDetail({ asset, onClose }) {
     const build = async function() {
       setFilmstripLoading(true);
       const probe = document.createElement('video');
-      probe.crossOrigin = 'anonymous';
+      // Do NOT set crossOrigin — the /video endpoint is same-origin and requires
+      // session cookies. crossOrigin='anonymous' strips credentials → 401 → load
+      // fails → filmstrip never builds. Same-origin video can be drawn to canvas
+      // without crossOrigin (no taint applies).
       probe.muted = true;
       probe.playsInline = true;
       probe.preload = 'auto';