inlinecoder
diff --git a/Diff for: ‎docs/upload/overview.mdx
+79-20 b/Diff for: ‎docs/upload/overview.mdx
+79-20
diff --git a/Diff for: ‎packages/payload/src/collections/endpoints/getFileFromURL.ts
+81 b/Diff for: ‎packages/payload/src/collections/endpoints/getFileFromURL.ts
+81
diff --git a/Diff for: ‎packages/payload/src/collections/endpoints/index.ts
+6 b/Diff for: ‎packages/payload/src/collections/endpoints/index.ts
+6
diff --git a/Diff for: ‎packages/payload/src/uploads/types.ts
+19 b/Diff for: ‎packages/payload/src/uploads/types.ts
+19
@@ -88,26 +88,27 @@ export const Media: CollectionConfig = {
 
 _An asterisk denotes that an option is required._
 
-| Option                         | Description                                                                                                                                                                                                                           |
-| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **`adminThumbnail`**           | Set the way that the [Admin Panel](../admin/overview) will display thumbnails for this Collection. [More](#admin-thumbnails)                                                                                                          |
-| **`bulkUpload`**               | Allow users to upload in bulk from the list view, default is true                                                                                                                                                                     |
-| **`cacheTags`**                | Set to `false` to disable the cache tag set in the UI for the admin thumbnail component. Useful for when CDNs don't allow certain cache queries.                                                                               |
-| **`crop`**                     | Set to `false` to disable the cropping tool in the [Admin Panel](../admin/overview). Crop is enabled by default. [More](#crop-and-focal-point-selector)                                                                               |
-| **`disableLocalStorage`**      | Completely disable uploading files to disk locally. [More](#disabling-local-upload-storage)                                                                                                                                           |
-| **`displayPreview`**           | Enable displaying preview of the uploaded file in Upload fields related to this Collection. Can be locally overridden by `displayPreview` option in Upload field. [More](/docs/fields/upload#config-options).                         |
-| **`externalFileHeaderFilter`** | Accepts existing headers and returns the headers after filtering or modifying.                                                                                                                                                        |
-| **`filesRequiredOnCreate`**    | Mandate file data on creation, default is true.                                                                                                                                                                                       |
-| **`filenameCompoundIndex`**    | Field slugs to use for a compound index instead of the default filename index. |
-| **`focalPoint`**               | Set to `false` to disable the focal point selection tool in the [Admin Panel](../admin/overview). The focal point selector is only available when `imageSizes` or `resizeOptions` are defined. [More](#crop-and-focal-point-selector) |
-| **`formatOptions`**            | An object with `format` and `options` that are used with the Sharp image library to format the upload file. [More](https://sharp.pixelplumbing.com/api-output#toformat)                                                               |
-| **`handlers`**                 | Array of Request handlers to execute when fetching a file, if a handler returns a Response it will be sent to the client. Otherwise Payload will retrieve and send back the file.                                                     |
-| **`imageSizes`**               | If specified, image uploads will be automatically resized in accordance to these image sizes. [More](#image-sizes)                                                                                                                    |
-| **`mimeTypes`**                | Restrict mimeTypes in the file picker. Array of valid mimetypes or mimetype wildcards [More](#mimetypes)                                                                                                                              |
-| **`resizeOptions`**            | An object passed to the the Sharp image library to resize the uploaded file. [More](https://sharp.pixelplumbing.com/api-resize)                                                                                                       |
-| **`staticDir`**                | The folder directory to use to store media in. Can be either an absolute path or relative to the directory that contains your config. Defaults to your collection slug                                                                |
-| **`trimOptions`**              | An object passed to the the Sharp image library to trim the uploaded file. [More](https://sharp.pixelplumbing.com/api-resize#trim)                                                                                                    |
-| **`withMetadata`**             | If specified, appends metadata to the output image file.  Accepts a boolean or a function that receives `metadata` and `req`, returning a boolean.                                                                                    |
+| Option                         | Description                                                                                                                                                                                                                                        |
+| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **`adminThumbnail`**           | Set the way that the [Admin Panel](../admin/overview) will display thumbnails for this Collection. [More](#admin-thumbnails)                                                                                                                       |
+| **`bulkUpload`**               | Allow users to upload in bulk from the list view, default is true                                                                                                                                                                                  |
+| **`cacheTags`**                | Set to `false` to disable the cache tag set in the UI for the admin thumbnail component. Useful for when CDNs don't allow certain cache queries.                                                                                                   |
+| **`crop`**                     | Set to `false` to disable the cropping tool in the [Admin Panel](../admin/overview). Crop is enabled by default. [More](#crop-and-focal-point-selector)                                                                                            |
+| **`disableLocalStorage`**      | Completely disable uploading files to disk locally. [More](#disabling-local-upload-storage)                                                                                                                                                        |
+| **`displayPreview`**           | Enable displaying preview of the uploaded file in Upload fields related to this Collection. Can be locally overridden by `displayPreview` option in Upload field. [More](/docs/fields/upload#config-options).                                      |
+| **`externalFileHeaderFilter`** | Accepts existing headers and returns the headers after filtering or modifying.                                                                                                                                                                     |
+| **`filesRequiredOnCreate`**    | Mandate file data on creation, default is true.                                                                                                                                                                                                    |
+| **`filenameCompoundIndex`**    | Field slugs to use for a compound index instead of the default filename index.                                                                                                                                                                     |
+| **`focalPoint`**               | Set to `false` to disable the focal point selection tool in the [Admin Panel](../admin/overview). The focal point selector is only available when `imageSizes` or `resizeOptions` are defined. [More](#crop-and-focal-point-selector)              |
+| **`formatOptions`**            | An object with `format` and `options` that are used with the Sharp image library to format the upload file. [More](https://sharp.pixelplumbing.com/api-output#toformat)                                                                            |
+| **`handlers`**                 | Array of Request handlers to execute when fetching a file, if a handler returns a Response it will be sent to the client. Otherwise Payload will retrieve and send back the file.                                                                  |
+| **`imageSizes`**               | If specified, image uploads will be automatically resized in accordance to these image sizes. [More](#image-sizes)                                                                                                                                 |
+| **`mimeTypes`**                | Restrict mimeTypes in the file picker. Array of valid mimetypes or mimetype wildcards [More](#mimetypes)                                                                                                                                           |
+| **`pasteURL`**                 | Controls whether files can be uploaded from remote URLs by pasting them into the Upload field. **Enabled by default.** Accepts `false` to disable or an object with an `allowList` of valid remote URLs. [More](#uploading-files-from-remote-urls) |
+| **`resizeOptions`**            | An object passed to the the Sharp image library to resize the uploaded file. [More](https://sharp.pixelplumbing.com/api-resize)                                                                                                                    |
+| **`staticDir`**                | The folder directory to use to store media in. Can be either an absolute path or relative to the directory that contains your config. Defaults to your collection slug                                                                             |
+| **`trimOptions`**              | An object passed to the the Sharp image library to trim the uploaded file. [More](https://sharp.pixelplumbing.com/api-resize#trim)                                                                                                                 |
+| **`withMetadata`**             | If specified, appends metadata to the output image file.  Accepts a boolean or a function that receives `metadata` and `req`, returning a boolean.                                                                                                 |
 
 
 ### Payload-wide Upload Options
@@ -327,6 +328,64 @@ fetch('api/:upload-slug', {
 })
 ```
 
+## Uploading Files from Remote URLs
+
+The `pasteURL` option allows users to fetch files from remote URLs by pasting them into an Upload field. This option is **enabled by default** and can be configured to either **allow unrestricted client-side fetching** or **restrict server-side fetching** to specific trusted domains.
+
+By default, Payload uses **client-side fetching**, where the browser downloads the file directly from the provided URL. However, **client-side fetching will fail if the URL’s server has CORS restrictions**, making it suitable only for internal URLs or public URLs without CORS blocks.
+
+To fetch files from **restricted URLs** that would otherwise be blocked by CORS, use **server-side fetching** by configuring the `pasteURL` option with an `allowList` of trusted domains. This method ensures that Payload downloads the file on the server and streams it to the browser. However, for security reasons, only URLs that match the specified `allowList` will be allowed.
+
+#### Configuration Example
+
+Here’s how to configure the pasteURL option to control remote URL fetching:
+
+```
+import type { CollectionConfig } from 'payload'
+
+export const Media: CollectionConfig = {
+  slug: 'media',
+  upload: {
+    pasteURL: {
+      allowList: [
+        {
+          hostname: 'payloadcms.com', // required
+          pathname: '',
+          port: '',
+          protocol: 'https',
+          search: ''
+        },
+        {
+          hostname: 'example.com',
+          pathname: '/images/*',
+        },
+      ],
+    },
+  },
+}
+```
+
+##### Accepted Values for `pasteURL`
+
+| Option          | Description                                                                                                                                                    |
+| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **`undefined`** | Default behavior. Enables client-side fetching for internal or public URLs.                                                                                    |
+| **`false`**     | Disables the ability to paste URLs into Upload fields.                                                                                                         |
+| **`allowList`** | Enables server-side fetching for specific trusted URLs. Requires an array of objects defining trusted domains. See the table below for details on `AllowItem`. |
+
+##### `AllowItem` Properties
+
+_An asterisk denotes that an option is required._
+
+| Option           | Description                                                                                          | Example       |
+| ---------------- | ---------------------------------------------------------------------------------------------------- | ------------- |
+| **`hostname`** * | The hostname of the allowed URL. This is required to ensure the URL is coming from a trusted source. | `example.com` |
+| **`pathname`**   | The path portion of the URL. Supports wildcards to match multiple paths.                             | `/images/*`   |
+| **`port`**       | The port number of the URL. If not specified, the default port for the protocol will be used.        | `3000`        |
+| **`protocol`**   | The protocol to match. Must be either `http` or `https`. Defaults to `https`.                        | `https`       |
+| **`search`**     | The query string of the URL. If specified, the URL must match this exact query string.               | `?version=1`  |
+
+
 ## Access Control
 
 All files that are uploaded to each Collection automatically support the `read` [Access Control](/docs/access-control/overview) function from the Collection itself. You can use this to control who should be allowed to see your uploads, and who should not.
@@ -0,0 +1,81 @@
+import type { PayloadHandler } from '../../config/types.js'
+
+import executeAccess from '../../auth/executeAccess.js'
+import { APIError } from '../../errors/APIError.js'
+import { Forbidden } from '../../errors/Forbidden.js'
+import { getRequestCollectionWithID } from '../../utilities/getRequestEntity.js'
+import { isURLAllowed } from '../../utilities/isURLAllowed.js'
+
+// If doc id is provided, it means we are updating the doc
+// /:collectionSlug/paste-url/:doc-id?src=:fileUrl
+
+// If doc id is not provided, it means we are creating a new doc
+// /:collectionSlug/paste-url?src=:fileUrl
+
+export const getFileFromURLHandler: PayloadHandler = async (req) => {
+  const { id, collection } = getRequestCollectionWithID(req, { optionalID: true })
+
+  if (!req.user) {
+    throw new Forbidden(req.t)
+  }
+
+  const config = collection?.config
+
+  if (id) {
+    // updating doc
+    const accessResult = await executeAccess({ req }, config.access.update)
+    if (!accessResult) {
+      throw new Forbidden(req.t)
+    }
+  } else {
+    // creating doc
+    const accessResult = await executeAccess({ req }, config.access?.create)
+    if (!accessResult) {
+      throw new Forbidden(req.t)
+    }
+  }
+  try {
+    if (!req.url) {
+      throw new APIError('Request URL is missing.', 400)
+    }
+
+    const { searchParams } = new URL(req.url)
+    const src = searchParams.get('src')
+
+    if (!src || typeof src !== 'string') {
+      throw new APIError('A valid URL string is required.', 400)
+    }
+
+    const validatedUrl = new URL(src)
+
+    if (
+      typeof config.upload?.pasteURL === 'object' &&
+      !isURLAllowed(validatedUrl.href, config.upload.pasteURL.allowList)
+    ) {
+      throw new APIError(`The provided URL (${validatedUrl.href}) is not allowed.`, 400)
+    }
+
+    // Fetch the file with no compression
+    const response = await fetch(validatedUrl.href, {
+      headers: {
+        'Accept-Encoding': 'identity',
+      },
+    })
+
+    if (!response.ok) {
+      throw new APIError(`Failed to fetch file from ${validatedUrl.href}`, response.status)
+    }
+
+    const decodedFileName = decodeURIComponent(validatedUrl.pathname.split('/').pop() || '')
+
+    return new Response(response.body, {
+      headers: {
+        'Content-Disposition': `attachment; filename="${decodedFileName}"`,
+        'Content-Length': response.headers.get('content-length') || '',
+        'Content-Type': response.headers.get('content-type') || 'application/octet-stream',
+      },
+    })
+  } catch (error) {
+    throw new APIError(`Error fetching file: ${error.message}`, 500)
+  }
+}
@@ -13,6 +13,7 @@ import { findByIDHandler } from './findByID.js'
 import { findVersionByIDHandler } from './findVersionByID.js'
 import { findVersionsHandler } from './findVersions.js'
 import { getFileHandler } from './getFile.js'
+import { getFileFromURLHandler } from './getFileFromURL.js'
 import { previewHandler } from './preview.js'
 import { restoreVersionHandler } from './restoreVersion.js'
 import { updateHandler } from './update.js'
@@ -46,6 +47,11 @@ export const defaultCollectionEndpoints: Endpoint[] = [
       method: 'post',
       path: '/access/:id?',
     },
+    {
+      handler: getFileFromURLHandler,
+      method: 'get',
+      path: '/paste-url/:id?',
+    },
     {
       handler: findVersionsHandler,
       method: 'get',
 
@@ -83,6 +83,14 @@ export type ImageSize = {
 
 export type GetAdminThumbnail = (args: { doc: Record<string, unknown> }) => false | null | string
 
+export type AllowList = Array<{
+  hostname: string
+  pathname?: string
+  port?: string
+  protocol?: 'http' | 'https'
+  search?: string
+}>
+
 export type UploadConfig = {
   /**
    * The adapter name to use for uploads. Used for storage adapter telemetry.
@@ -175,6 +183,17 @@ export type UploadConfig = {
    * @default undefined
    */
   modifyResponseHeaders?: ({ headers }: { headers: Headers }) => Headers
+  /**
+   * Controls the behavior of pasting/uploading files from URLs.
+   * If set to `false`, fetching from remote URLs is disabled.
+   * If an allowList is provided, server-side fetching will be enabled for specified URLs.
+   * @default true (client-side fetching enabled)
+   */
+  pasteURL?:
+    | {
+        allowList: AllowList
+      }
+    | false
   /**
    * Sharp resize options for the original image.
    * @link https://sharp.pixelplumbing.com/api-resize#resize