80028 2012-03-01 07:49:21 -0800 Setting crossOrigin attribute for images won't trigger onerror on CORS denial 2012-06-19 00:32:51 -0700 1 1 1 Unclassified WebKit Images 528+ (Nightly build) PC Windows Vista RESOLVED DUPLICATE 81998 P2 Normal --- 1 niklasvh abarth abarth ap mkwst pf oldest_to_newest 568658 0 129704 niklasvh 2012-03-01 07:49:21 -0800 Created attachment 129704 example where onerror / onload isn't triggered When defining the crossOrigin attribute for an Image element, it won't return an onload/onerror event if the image exists, but denied by CORS policy. In other words, there is no event to determine when the image has finished loading and whether it managed to load it, unless you check with timers for the complete attribute to change. The expected result would be for the onerror event of the image to be triggered (as it does in Firefox), and as defined in http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#attr-img-crossorigin "Set the img element to the broken state, and fire a simple event named error at the img element." Tested on both 19.0.1057.0 canary and 17.0.963.56 m, and neither is triggering the real onerror in the example. 569946 1 ap 2012-03-02 14:26:56 -0800 There should be no way to differentiate between non-existent resources and 569947 2 ap 2012-03-02 14:27:32 -0800 Taking that unfinished comment back, this doesn't seem like security. 569986 3 abarth 2012-03-02 15:23:10 -0800 I'm going to try to fix this bug next week. If someone else is excited about fixing it sooner, go for it. 652153 4 abarth 2012-06-19 00:32:20 -0700 @mkwst: Here's the related bug for CORS. I thought I fixed this though... Maybe I did it in a different bug. 652154 5 abarth 2012-06-19 00:32:51 -0700 *** This bug has been marked as a duplicate of bug 81998 *** 129704 2012-03-01 07:49:21 -0800 2012-03-01 07:49:21 -0800 example where onerror / onload isn't triggered crossorigin.html text/html 551 niklasvh PHNjcmlwdD4NCmZ1bmN0aW9uIGlzQ29tcGxldGUoKSB7DQogICAgKCF0aGlzLmNvbXBsZXRlKSA/ IHdpbmRvdy5zZXRUaW1lb3V0KHRoaXMuY3VzdG9tQ29tcGxldGUsIDEwMCkgOiB0aGlzLm9uZXJy b3IoKTsNCn0NCg0KdmFyIGltZyA9IG5ldyBJbWFnZSgpOw0KaW1nLmNyb3NzT3JpZ2luID0gIiI7 DQoNCmltZy5vbmxvYWQgPSBmdW5jdGlvbihlKSB7DQogY29uc29sZS5sb2coJ2xvYWQ/PycpOyAg ICANCn0NCiAgICANCmltZy5vbmVycm9yID0gZnVuY3Rpb24oZSkgew0KICAgIChlID09PSB1bmRl ZmluZWQpID8gY29uc29sZS5sb2coImN1c3RvbSBlcnJvciIpIDogY29uc29sZS5sb2coInJlYWwg ZXJyb3IiLCBlKTsNCn0NCiAgICANCiAgICANCmltZy5zcmMgPSAiaHR0cHM6Ly93d3cuZ29vZ2xl LmNvbS9pbnRsL2VuX2NvbS9pbWFnZXMvc3Jwci9sb2dvM3cucG5nIjsgLy8gZG9lc24ndCBoYXZl IGNvcnMgZW5hYmxlZA0KDQppbWcuY3VzdG9tQ29tcGxldGUgPSBpc0NvbXBsZXRlLmJpbmQoaW1n KTsNCg0KaW1nLmN1c3RvbUNvbXBsZXRlKCk7DQo8L3NjcmlwdD4=