Bug 80028 - Setting crossOrigin attribute for images won't trigger onerror on CORS denial
: Setting crossOrigin attribute for images won't trigger onerror on CORS denial
Status: RESOLVED DUPLICATE of bug 81998
: WebKit
Images
: 528+ (Nightly build)
: PC Windows Vista
: P2 Normal
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2012-03-01 07:49 PST by
Modified: 2012-06-19 00:32 PST (History)


Attachments
example where onerror / onload isn't triggered (551 bytes, text/html)
2012-03-01 07:49 PST, Niklas von Hertzen
no flags Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2012-03-01 07:49:21 PST
Created an attachment (id=129704) [details]
example where onerror / onload isn't triggered

When defining the crossOrigin attribute for an Image element, it won't return an onload/onerror event if the image exists, but denied by CORS policy. In other words, there is no event to determine when the image has finished loading and whether it managed to load it, unless you check with timers for the complete attribute to change. 

The expected result would be for the onerror event of the image to be triggered (as it does in Firefox), and as defined in http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#attr-img-crossorigin "Set the img element to the broken state, and fire a simple event named error at the img element."

Tested on both 19.0.1057.0 canary and 17.0.963.56 m, and neither is triggering the real onerror in the example.
------- Comment #1 From 2012-03-02 14:26:56 PST -------
There should be no way to differentiate between non-existent resources and
------- Comment #2 From 2012-03-02 14:27:32 PST -------
Taking that unfinished comment back, this doesn't seem like security.
------- Comment #3 From 2012-03-02 15:23:10 PST -------
I'm going to try to fix this bug next week.  If someone else is excited about fixing it sooner, go for it.
------- Comment #4 From 2012-06-19 00:32:20 PST -------
@mkwst: Here's the related bug for CORS.  I thought I fixed this though...  Maybe I did it in a different bug.
------- Comment #5 From 2012-06-19 00:32:51 PST -------

*** This bug has been marked as a duplicate of bug 81998 ***