Three.js: Suggestion: default crossOrigin of *Loader should be undefined

see b37706008b705805b1b197dafbac027e54a0342d

@mrdoob What was your motivation for setting Anonymous as the default value?

I also found that the default crossOrigin of ImageLoader, TextureLoader, CubeTextureLoader is Anonymous now, too. 8aacfda2d9a826749b0f1e93f757b25b7b26db86

Just working through this now, and in the specific case of ImageLoader:

• setting a crossOrigin value of undefined
• drawing a loaded image onto a canvas
• creating a new THREE.CanvasTexture based on that canvas

results in a security error, because the canvas is "tainted", so in that particular case undefined probably isn't a sensible default.

@mrdoob What was your motivation for setting Anonymous as the default value?

I don't remember... Here are some old discussions: #779 #4653

Um, according to @msbit comment and https://github.com/mrdoob/three.js/issues/4653#issuecomment-41075425, anonymous seems to be the better default value for the loaders.

Hmm, yeah... If anything, we could change Anonymous to anonymous...

IIRC, CORS setting will be propagated. @msbit 's case is expected result.

Security is often tradeoff between secure and capability. I prefer secured side as default, undefined crossOrigin, and apps (devs) set appropriate value when necessary. But not a strong preference.

As far as I remember, if crossOrigin is set to undefined textures do not load in the rawgit link. So if we set it to undefined by default we'll have to add loader.setCrossOrigin( 'anonymous' ) to all the examples.

It would also "break" A LOT of projects... But if someone has really good arguments for doing it we could reconsider.

Setting crossOrigin to undefined rather than anonymous would not result in more security.

This security feature is located server side with a proper CORS configuration.

I don't think that sending Origin in the request header would do any harm in an everyday developer scenario.

Sounds good. Should we change Anonymous to anonymous though?

Should we change Anonymous to anonymous though?

Might be prudent, according to this:

An invalid keyword and an empty string will be handled as the anonymous keyword.

so we may simply be getting the anonymous behaviour through a bit of a quirk (though I'm not able to quickly find anything that indicates whether case is important).

some old safari failed to load images with anonymous set if there were no cors headers. otherwise it is good default

Every reference I found used "anonymous" all lower case.

Setting crossOrigin to undefined rather than anonymous would not result in more security.

Thanks. This is what I wanted to know to discuss, how risky setting anonymous to default value. So there's no reason to push undefined for me as default now. But I just want the consistent default value across the loaders.