three.js: Suggestion: default crossOrigin of *Loader should be undefined
Description of the problem
The default crossOrigin of some *Loaders under examples/js/loaders are Anonymous while base Loader’s is undefined.
IMO, crossOrigin of all *Loaders should be undefined for security and consistency.
If you folks agree with this, I’ll make PR.
These loaders seems to have default Anonymous crossOrigin as far as I know from the grep command.
AssimpJSONLoaderAssimpLoaderBinaryLoaderColladaLoaderGLTFLoaderMTLLoaderVRMLLoader
Three.js version
- Dev
- r87
- …
Browser
- All of them
- Chrome
- Firefox
- Internet Explorer
OS
- All of them
- Windows
- macOS
- Linux
- Android
- iOS
Hardware Requirements (graphics card, VR Device, …)
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 15 (8 by maintainers)
Just working through this now, and in the specific case of
ImageLoader:crossOriginvalue ofundefinedTHREE.CanvasTexturebased on that canvasresults in a security error, because the canvas is “tainted”, so in that particular case
undefinedprobably isn’t a sensible default.Thanks. This is what I wanted to know to discuss, how risky setting
anonymousto default value. So there’s no reason to pushundefinedfor me as default now. But I just want the consistent default value across the loaders.Every reference I found used “anonymous” all lower case.
Setting crossOrigin to undefined rather than anonymous would not result in more security.
This security feature is located server side with a proper CORS configuration.
I don’t think that sending Origin in the request header would do any harm in an everyday developer scenario.