OS: GNU/Linux Ubuntu 18.04
Browser: Firefox Nightly 81.0a1 (2020-08-21)
Steps to reproduce the problem:
Open the attached document in the browser (contents included here for clarity):
<link rel="icon" href="https://www.w3.org/2008/site/images/favicon.ico" crossorigin>
Expected result: the browser does not associate the referenced image with the current document (because the image is not served with the appropriate CORS headers)
Actual result: the browser associates the referenced image with the current document
The attached document sets the
crossorigin attribute to "anonymous", but the bug is also present for the empty value ("") and for "use-credentials".
According to the "default fetch and process the linked resource" algorithm:
- Let corsAttributeState be the current state of the el's
crossorigin content attribute.
Which is used in "create a potential-CORS request":
- Let mode be "no-cors" if corsAttributeState is No CORS, and "cors" otherwise.
Fetch's "main fetch":
- Set request’s response tainting to "cors".
- Return the result of performing an HTTP fetch using request.
And "HTTP fetch":
- If request’s response tainting is "cors" and a CORS check for request and
response returns failure, then return a network error.
This behavior suggests that the request's mode is being set to "no-cors" regardless of the value of the
crossorigin attribute. Likewise, the request header
Sec-Fetch-Mode is set to "no-cors" in all cases.