Bug 307812

Summary:	video element doesn't respect CORS for WebM resources
Product:	WebKit	Reporter:	Andriy <andriy.lysnevych>
Component:	Media	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED DUPLICATE
Severity:	Normal	CC:	annevk, jean-yves.avenard, jer.noble, owen.morgan, webkit-bug-importer, youennf, zach
Priority:	P2	Keywords:	InRadar
Version:	Safari 26
Hardware:	All
OS:	All

Andriy

Reported 2026-02-13 09:23:37 PST

Safari 18 and 26 on iOS and macOS with WebM videos only always treat <video> element as tainted (insecure) with WebM sources even if correct CORS headers and crossorigin="anonymous" set. Minimum reproducible example that does snapshots from video to canvas: https://jsfiddle.net/s2w5vk76/ It doesn’t work in Safari 18 and 26 failing with a security error. It works in all other browsers: Chrome, Firefox, Safari 17 (tested in BrowserStack), Epiphany (WebKit in Ubuntu) Also this example works in Safari 18 and 26 if change source from WebM to MP4

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2026-02-20 09:24:10 PST

<rdar://problem/170810382>

owen.morgan

Comment 2 2026-02-26 01:37:43 PST

Pull Request: https://github.com/WebKit/WebKit/pull/59495

Anne van Kesteren

Comment 3 2026-06-05 07:04:49 PDT

*** This bug has been marked as a duplicate of bug 242869 ***

Note You need to log in before you can comment on or make changes to this bug.