From ce18758158745d234f03ea181b067291af3e8f98 Mon Sep 17 00:00:00 2001
From: Uladzislau Lasitsa <Uladzislau_Lasitsa@epam.com>
Date: Mon, 1 Mar 2021 18:09:44 +0300
Subject: [PATCH] [Vega] Allow image loading without CORS policy by changing
 the default to crossOrigin=null (#91991) (#92956)

* changing the default to crossOrigin=null in Vega

* Fix eslint

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .../vis_type_vega/public/vega_view/vega_base_view.js      | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/plugins/vis_type_vega/public/vega_view/vega_base_view.js b/src/plugins/vis_type_vega/public/vega_view/vega_base_view.js
index 14e4d6034c1c2..353273d1372e6 100644
--- a/src/plugins/vis_type_vega/public/vega_view/vega_base_view.js
+++ b/src/plugins/vis_type_vega/public/vega_view/vega_base_view.js
@@ -172,7 +172,7 @@ export class VegaBaseView {
     // Override URL sanitizer to prevent external data loading (if disabled)
     const vegaLoader = loader();
     const originalSanitize = vegaLoader.sanitize.bind(vegaLoader);
-    vegaLoader.sanitize = (uri, options) => {
+    vegaLoader.sanitize = async (uri, options) => {
       if (uri.bypassToken === bypassToken) {
         // If uri has a bypass token, the uri was encoded by bypassExternalUrlCheck() above.
         // because user can only supply pure JSON data structure.
@@ -189,7 +189,11 @@ export class VegaBaseView {
           })
         );
       }
-      return originalSanitize(uri, options);
+      const result = await originalSanitize(uri, options);
+      // This will allow Vega users to load images from any domain.
+      result.crossOrigin = null;
+
+      return result;
     };
     config.loader = vegaLoader;