Bug 80028 - Setting crossOrigin attribute for images won't trigger onerror on CORS denial
Summary: Setting crossOrigin attribute for images won't trigger onerror on CORS denial
Status: RESOLVED DUPLICATE of bug 81998
Alias: None
Product: WebKit
Classification: Unclassified
Component: Images (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P2 Normal
Assignee: Adam Barth
Depends on:
Reported: 2012-03-01 07:49 PST by Niklas von Hertzen
Modified: 2012-06-19 00:32 PDT (History)
4 users (show)

See Also:

example where onerror / onload isn't triggered (551 bytes, text/html)
2012-03-01 07:49 PST, Niklas von Hertzen
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Niklas von Hertzen 2012-03-01 07:49:21 PST
Created attachment 129704 [details]
example where onerror / onload isn't triggered

When defining the crossOrigin attribute for an Image element, it won't return an onload/onerror event if the image exists, but denied by CORS policy. In other words, there is no event to determine when the image has finished loading and whether it managed to load it, unless you check with timers for the complete attribute to change. 

The expected result would be for the onerror event of the image to be triggered (as it does in Firefox), and as defined in http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#attr-img-crossorigin "Set the img element to the broken state, and fire a simple event named error at the img element."

Tested on both 19.0.1057.0 canary and 17.0.963.56 m, and neither is triggering the real onerror in the example.
Comment 1 Alexey Proskuryakov 2012-03-02 14:26:56 PST
There should be no way to differentiate between non-existent resources and
Comment 2 Alexey Proskuryakov 2012-03-02 14:27:32 PST
Taking that unfinished comment back, this doesn't seem like security.
Comment 3 Adam Barth 2012-03-02 15:23:10 PST
I'm going to try to fix this bug next week.  If someone else is excited about fixing it sooner, go for it.
Comment 4 Adam Barth 2012-06-19 00:32:20 PDT
@mkwst: Here's the related bug for CORS.  I thought I fixed this though...  Maybe I did it in a different bug.
Comment 5 Adam Barth 2012-06-19 00:32:51 PDT

*** This bug has been marked as a duplicate of bug 81998 ***