Diagnoses why a background/overlay asset from the Bintu VOD CDN fails to load in the
tuner. Runs the exact load the tuner does — crossOrigin="anonymous" + a canvas
pixel read — against the direct CDN URL and against the
same-origin /api/asset proxy, plus a server-side header probe.
See CORS.md for the full write-up.
idle
A · Direct + crossOrigin
— not run —
What the tuner does today. Fails if the CDN omits the CORS header.
B · Direct, no crossOrigin
— not run —
Control: asset reachable? Loads even without CORS, but canvas is tainted.
C · Via /api/asset proxy
— not run —
Same-origin proxy fallback. Should always be clean if backend is up.
CDN header matrix (server-side, via /api/asset?inspect)
Sent Origin
ACAO returned
Vary
HTTP
Verdict
Reflected = ACAO echoes the sent Origin (robust). Same value for every row = static/allowlisted. “(none)” = no CORS.
Enter an asset URL (or append ?url=… to this page) and click a test.