fix(app): drop crossOrigin on map thumbnails to avoid GCS CORS preflight

MarkusNeusinger · claude · MarkusNeusinger · commit e88ad9923886 · 2026-04-30T22:42:49.000+02:00
Setting img.crossOrigin='anonymous' in preloadImages forces a CORS preflight, which fails because the anyplot-images GCS bucket has no CORS headers configured. All 312 thumbnails were getting blocked ("No 'Access-Control-Allow-Origin' header is present"). We only drawImage() these onto the canvas — never call getImageData or toDataURL — so a tainted canvas is fine. Drop the attribute and the browser fetches the images as a regular cross-origin GET that GCS happily serves. Refs #5646 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/app/src/pages/MapPage.helpers.ts b/app/src/pages/MapPage.helpers.ts
@@ -168,7 +168,10 @@ export async function preloadImages(
         // document.createElement is preferred over `new Image()` here only because
         // some lint configs don't surface browser globals on plain .ts files.
         const img = document.createElement('img');
-        img.crossOrigin = 'anonymous';
+        // Intentionally NOT setting img.crossOrigin: the GCS bucket has no CORS
+        // headers, and adding crossOrigin='anonymous' triggers a preflight that
+        // fails. We only ever drawImage() these onto the canvas (the canvas
+        // becomes "tainted", which is fine — we never read it back).
         img.onload = () => {
           out.set(id, img);
           onLoad?.(id, img);
