Bug 80028

Summary: Setting crossOrigin attribute for images won't trigger onerror on CORS denial
Product: WebKit Reporter: Niklas von Hertzen <niklasvh>
Component: ImagesAssignee: Adam Barth <abarth>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: abarth, ap, mkwst, pf
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
example where onerror / onload isn't triggered none

Description Niklas von Hertzen 2012-03-01 07:49:21 PST 
Created attachment 129704 [details]
example where onerror / onload isn't triggered

When defining the crossOrigin attribute for an Image element, it won't return an onload/onerror event if the image exists, but denied by CORS policy. In other words, there is no event to determine when the image has finished loading and whether it managed to load it, unless you check with timers for the complete attribute to change. 

The expected result would be for the onerror event of the image to be triggered (as it does in Firefox), and as defined in http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#attr-img-crossorigin "Set the img element to the broken state, and fire a simple event named error at the img element."

Tested on both 19.0.1057.0 canary and 17.0.963.56 m, and neither is triggering the real onerror in the example.
Comment 1 Alexey Proskuryakov 2012-03-02 14:26:56 PST 
There should be no way to differentiate between non-existent resources and
Comment 2 Alexey Proskuryakov 2012-03-02 14:27:32 PST 
Taking that unfinished comment back, this doesn't seem like security.
Comment 3 Adam Barth 2012-03-02 15:23:10 PST 
I'm going to try to fix this bug next week.  If someone else is excited about fixing it sooner, go for it.
Comment 4 Adam Barth 2012-06-19 00:32:20 PDT 
@mkwst: Here's the related bug for CORS.  I thought I fixed this though...  Maybe I did it in a different bug.
Comment 5 Adam Barth 2012-06-19 00:32:51 PDT 

*** This bug has been marked as a duplicate of bug 81998 ***