When using cross origin urls for images with the canvas api, if the image is cross origin I am getting a tainted canvas exception. MDN Allowing cross-origin use of images and canvas.
Changing crossOrigin="anonymous" fixes the issue; however, is it okay to always do that? Or should I check the url first to make sure that it really is crossOrigin before setting it to anonymous?
e.g.
JavaScript
x
14
14
1
function isCrossOriginURL(url) {2
const { location } = window;3
const parts = url.match(/^(w+:)//([^:/?#]*):?(d*)/i);4
5
return (6
parts !== null &&7
(parts[1] !== location.protocol ||8
parts[2] !== location.hostname ||9
parts[3] !== location.port)10
);11
}12
13
console.log(isCrossOriginURL("https://stacksnippets.net"))14
console.log(isCrossOriginURL("https://google.com"))Advertisement
Answer
Is is not OK to always set crossorigin=anonymous.
The crossorigin attribute is a statement that you want to do something to the image which requires permission using CORS.
If the server doesn’t grant permission using CORS then you won’t be able to do things with the image that normally don’t require permission … such as displaying the image at all.
JavaScript
1
3
1
<img src="https://placem.at/places?h=100&w=100" alt="No CORS needed">2
3
<img src="https://placem.at/places?h=100&w=100" crossorigin=anonymous alt="Requires CORS">