On Tue, 04 Oct 2011 20:32:02 +0200, Ian Hickson <i...@hixie.ch> wrote:
The idea is that if the server explicitly rejected the CORS request, then the image should not be usable at all.
FWIW, from a CORS-perspective both scenarios are fine. CORS only cares about whether data gets shared in the end. One advantage I can see about <img crossorigin> still displaying the image is that the request does not use cookies. Not displaying the image probably makes debugging easier however.
-- Anne van Kesteren http://annevankesteren.nl/