[wp-trac] [WordPress Trac] #64886: Media: Remove `IMG` from cross-origin isolation `crossorigin="anonymous"` injection.
WordPress Trac
noreply at wordpress.org
Wed Mar 18 17:34:14 UTC 2026
#64886: Media: Remove `IMG` from cross-origin isolation `crossorigin="anonymous"`
injection.
-----------------------------+-----------------------
Reporter: adamsilverstein | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 7.0
Component: General | Version: trunk
Severity: normal | Keywords: has-patch
Focuses: |
-----------------------------+-----------------------
== Description
In #64766, `Document-Isolation-Policy: isolate-and-credentialless` was
introduced to enable cross-origin isolation for client-side media
processing. As part of that change, `wp_add_crossorigin_attributes()`
injects `crossorigin="anonymous"` on several HTML elements including
`IMG`.
However, under `Document-Isolation-Policy: isolate-and-credentialless`,
the browser's credentialless mode already handles cross-origin image
loading without requiring CORS headers on the remote server. When
`crossorigin="anonymous"` is explicitly added to an `<img>` element, it
overrides this behavior and forces a CORS preflight request. If the remote
server does not include `Access-Control-Allow-Origin` in its response
headers, the image fails to load entirely.
This causes image previews to break in the block editor sidebar when an
image block references an external URL from a server that does not serve
CORS headers. For example, `https://placehold.jp/1024x768.jpg` triggers
this bug.
=== Steps to reproduce
1. Open the block editor (WordPress 7.0, Chromium 137+).
2. Add an Image block.
3. Select "Insert from URL" and enter an external image URL that does not
serve CORS headers (e.g. `https://placehold.jp/1024x768.jpg`).
4. Observe that the sidebar image preview fails to render with a CORS
error in the console.
=== Expected behavior
The image preview should render. Under `Document-Isolation-Policy:
isolate-and-credentialless`, the browser handles cross-origin images in
credentialless mode without needing explicit CORS headers.
=== Actual behavior
The image fails to load because `crossorigin="anonymous"` forces a CORS
request, and the remote server does not include the required `Access-
Control-Allow-Origin` header.
== Proposed fix
Remove `IMG` (and the related `imagesrcset` handling on `LINK` elements)
from the `$cross_origin_tag_attributes` array in
`wp_add_crossorigin_attributes()`. The other elements (`AUDIO`, `VIDEO`,
`SCRIPT`, `LINK`, `SOURCE`) still need the attribute for proper error
reporting, media processing, and font loading.
The corresponding client-side JavaScript change (removing `img` from the
MutationObserver in `@wordpress/block-editor`) is handled in the Gutenberg
PR.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64886>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list