Blog

HTML canvas and cross-origin images: taint, CORS-enabled ImageBitmap, and getImageData restrictions

Drawing a bitmap from another origin without CORS taints the canvas—subsequent pixel reads throw security errors.

Published: 2028-07-02Updated: 2028-07-041 min read

canvascorsbrowser

WebGL

Textures uploaded from cross-origin images need CORS-clean sources—WebGL errors can be cryptic.

OffscreenCanvas in workers follows the same rules—test worker and main thread paths.

`toBlob` and `toDataURL` fail on tainted canvases—catch errors in image export features.