Created attachment 129704 [details]
example where onerror / onload isn't triggered
When defining the crossOrigin attribute for an Image element, it won't return an onload/onerror event if the image exists, but denied by CORS policy. In other words, there is no event to determine when the image has finished loading and whether it managed to load it, unless you check with timers for the complete attribute to change.
The expected result would be for the onerror event of the image to be triggered (as it does in Firefox), and as defined in http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#attr-img-crossorigin "Set the img element to the broken state, and fire a simple event named error at the img element."
Tested on both 19.0.1057.0 canary and 17.0.963.56 m, and neither is triggering the real onerror in the example.
There should be no way to differentiate between non-existent resources and
Taking that unfinished comment back, this doesn't seem like security.
I'm going to try to fix this bug next week. If someone else is excited about fixing it sooner, go for it.
@mkwst: Here's the related bug for CORS. I thought I fixed this though... Maybe I did it in a different bug.
*** This bug has been marked as a duplicate of bug 81998 ***