Bug 80028

Summary: Setting crossOrigin attribute for images won't trigger onerror on CORS denial
Product: WebKit Reporter: Niklas von Hertzen <niklasvh>
Component: ImagesAssignee: Adam Barth <abarth>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: abarth, ap, mkwst, pf
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
example where onerror / onload isn't triggered none

Niklas von Hertzen
Reported 2012-03-01 07:49:21 PST
Created attachment 129704 [details] example where onerror / onload isn't triggered When defining the crossOrigin attribute for an Image element, it won't return an onload/onerror event if the image exists, but denied by CORS policy. In other words, there is no event to determine when the image has finished loading and whether it managed to load it, unless you check with timers for the complete attribute to change. The expected result would be for the onerror event of the image to be triggered (as it does in Firefox), and as defined in http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#attr-img-crossorigin "Set the img element to the broken state, and fire a simple event named error at the img element." Tested on both 19.0.1057.0 canary and 17.0.963.56 m, and neither is triggering the real onerror in the example.
Attachments
example where onerror / onload isn't triggered (551 bytes, text/html)
2012-03-01 07:49 PST, Niklas von Hertzen 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2012-03-02 14:26:56 PST
There should be no way to differentiate between non-existent resources and
Alexey Proskuryakov
Comment 2 2012-03-02 14:27:32 PST
Taking that unfinished comment back, this doesn't seem like security.
Adam Barth
Comment 3 2012-03-02 15:23:10 PST
I'm going to try to fix this bug next week. If someone else is excited about fixing it sooner, go for it.
Adam Barth
Comment 4 2012-06-19 00:32:20 PDT
@mkwst: Here's the related bug for CORS. I thought I fixed this though... Maybe I did it in a different bug.
Adam Barth
Comment 5 2012-06-19 00:32:51 PDT
*** This bug has been marked as a duplicate of bug 81998 ***
Note You need to log in before you can comment on or make changes to this bug.