Why does the editor throw a CORS error when processing an image?

The most likely cause of CORS errors is an incorrectly configured CORS policy on a remote server. A resource is deemed remote when it has a different domain, subdomain, protocol, or port as the local server.

Some examples of cross-origin requests:

https://my-site.com -> https://your-site.com
https://my-site.com -> https://sub.my-site.com
https://my-site.com -> http://my-site.com
https://my-site.com -> http://my-site.com:1234

We can determine if the CORS policy is configured incorrectly by looking at the network tab of our browser developer tools and inspecting the request. If the Access-Control response headers are turned CORS is configured.

Below we can see the request information when loading a test image from the PQINA webserver:

Request Headers
  Url: https://pqina.nl/pintura/test/cors/test.jpeg
  Method: GET

Response Headers
  Access-Control-Allow-Methods: GET
  Access-Control-Allow-Origin: *
  Content-Type: image/jpeg

A wildcard means that the file can be accessed from everywhere, it's best to set a specific origin.

Access-Control-Allow-Origin: https://my-site.com

If a specific origin is set (so no wildcard), we need to make sure the image is correctly cached as well. To do this we need to set the Vary header to Origin, see CORS and caching on MDN.

If for some reason the remote CORS policy can't be changed we can proxy the image request through the local server. In that situation we send the URL of the remote image to our local server, our local server then requests the remote image and returns the result to the front-end.

Additional information on setting a CORS policy:

HTML Canvas and CORS

About Canvas and CORS on MDN

Google Cloud and CORS

Google Cloud CORS

Amazon AWS S3 and CORS

An S3 bucket doesn't automatically send the Vary: Origin header, the Origin header needs to be present in the request for S3 to add it to Vary.

Azure and CORS

Azure CORS