Skip to content

fix(common): preserve crossorigin on image preloads#69743

Open
SkyZeroZx wants to merge 1 commit into
angular:mainfrom
SkyZeroZx:fix/ng-optimized-image-crossorigin-preload
Open

fix(common): preserve crossorigin on image preloads#69743
SkyZeroZx wants to merge 1 commit into
angular:mainfrom
SkyZeroZx:fix/ng-optimized-image-crossorigin-preload

Conversation

@SkyZeroZx

@SkyZeroZx SkyZeroZx commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Propagate the crossorigin attribute from priority NgOptimizedImage hosts to SSR-generated preload links. Keep preload and image requests in the same credentials mode to avoid an anonymous image issuing an earlier credentialed request.

Include the CORS mode in the preload deduplication key so images sharing a URL but using different policies receive compatible preloads.

This avoid an controlling images.example.com can use the credentialed preload to receive parent-domain cookies and overwrite them via Set-Cookie.

Propagating crossorigin="anonymous" prevents both cookie transmission and replacement.

More context https://issuetracker.google.com/u/1/issues/533629865

Propagate the crossorigin attribute from priority NgOptimizedImage hosts to SSR-generated preload links. Keep preload and image requests in the same credentials mode to avoid an anonymous image issuing an earlier credentialed request.

Include the CORS mode in the preload deduplication key so images sharing a URL but using different policies receive compatible preloads.
@pullapprove pullapprove Bot requested a review from JeanMeche July 11, 2026 15:48
@angular-robot angular-robot Bot added the area: common Issues related to APIs in the @angular/common package label Jul 11, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jul 11, 2026
sizes?: string,
crossOrigin?: string | null,
): void {
const preloadKey = JSON.stringify([src, getCrossOriginMode(crossOrigin)]);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm questionning wether we need to use the cross origin mode in the key.
Do you see a true usecase where a src would be use with different cross origin mode ?

@SkyZeroZx SkyZeroZx Jul 11, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, indeed, according to our issues

We might want to use a different CDN at runtime or according to user customization. I've also experimented with switching CDNs using some runtime tricks, so I don't think it's an unusual use case.

Or if you're referring to the key, it's more for security to avoid an unwanted case (it would be strange if it wasn't consistent).

Eg the same image endpoint could redirect or return different content depending on whether credentials are included. It may also be used normally in one place and with crossorigin="anonymous" for some usage elsewhere.

Since the browser treats the request mode and credentials mode as part of the preload key, preloads for the same URL but different CORS modes are not interchangeable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: common Issues related to APIs in the @angular/common package

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants