initalizing RCrop on images with secured src url fails on Safari

[pieterdegraeuwe]

First of all; The issue does not occur in Chrome, FireFox, Edge. It seems to only occur in Safari. However, I do think it is strange that it does only occur in Safari. (I think it should occur everywhere).

What happens. RCrop creates a new Image() at initialization and uses the src url of the original image. (Note that our images are not allowed to be served cross origin.) On the new Image, you set the attribute 'crossOrigin' = 'anonymous', which should cause the session cookies not to be sent. (this is the case in Safari, but not in Chrome, FireFox and Edge).

So, in Safari, initializing RCrop causes a load of the image, which causes a 302 redirect to the loginPage, which is obviously not what we want.

patching our rcrop.min.js by changing the 'crossOrigin=anonymous' to 'use-credentials' did fix our problem.

Is there a reason why the 'crossOrigin' is explicitly set to anonymous? Why not 'use-credentials'? At least, I think this should be a configuration option.

Thanks.