crossorigin="anonymous" Prevents Rendering and Canvas Access for Custom Scheme and HTTP Images on iOS 18

Safari & Web General
CXUAN OP
Created 6d
Replies 0
Boosts 0
Views 253
Participants 1

On iOS 18, when setting the src attribute of an <img> tag to a custom scheme (e.g., myapp://image.png) or an HTTP URL (http://example.com/image.png), if crossorigin="anonymous" is applied, the image fails to load. Additionally, images affected by this issue cannot be drawn to a <canvas>, as the browser treats them as tainted and blocks access to their pixel data.

This issue did not occur in previous iOS versions and seems to be a regression in iOS 18.

Steps to Reproduce:

  1. Open an HTTPS-hosted H5 page in Safari on iOS 18.
  2. Add an <img> tag with crossorigin="anonymous" and set src to either:
  • A custom scheme:
<img src="myapp://image.png" crossorigin="anonymous">
  • An HTTP URL (even from the same origin):
<img src="http://example.com/image.png" crossorigin="anonymous">
  1. Observe that the image does not load.
  2. Attempt to draw the image onto a <canvas> and retrieve its data:
const canvas = document.createElement("canvas");
const ctx = canvas.getContext("2d");
const img = new Image();
img.crossOrigin = "anonymous";
img.src = "http://example.com/image.png"; // or "myapp://image.png"
img.onload = () => {
    ctx.drawImage(img, 0, 0);
    try {
        console.log(canvas.toDataURL()); // Expect base64 image data
    } catch (error) {
        console.error("Canvas is tainted:", error);
    }
};
  1. Notice that the image is blocked, and any attempt to access pixel data results in a CORS error.

Expected Behavior: * The image should be displayed if it is accessible under normal CORS rules. * The <canvas> API should allow access to the image data unless explicitly blocked by the server’s CORS policy.

Actual Behavior:

  • The image fails to load when crossorigin="anonymous" is applied.
  • The <canvas> API does not allow access to the image data, treating it as tainted.
  • Removing crossorigin="anonymous" allows the image to display in some cases, but this is not a viable workaround when CORS enforcement is required.

Regression:

  • Works correctly on: iOS 17 and earlier
  • Broken on: iOS 18

Environment:

  • Device: iPhone/iPad
  • iOS Version: 18.0+
  • Browser: Safari

Suggested Fix:

Apple should investigate this regression and allow custom schemes and HTTP images to be correctly handled under CORS policies when crossorigin="anonymous" is set. If the source allows cross-origin requests, Safari should not block the image or its use in <canvas>.

Replies  0
Boosts  0
Views  253
Participants  1
crossorigin="anonymous" Prevents Rendering and Canvas Access for Custom Scheme and HTTP Images on iOS 18
First post date Last post date
 
 
Q