Skip to content

fix: add crossOrigin configuration to video examples to prevent WebGL SecurityError#406

Open
aomsir wants to merge 2 commits into
phaserjs:masterfrom
aomsir:fix/video-examples-cors
Open

fix: add crossOrigin configuration to video examples to prevent WebGL SecurityError#406
aomsir wants to merge 2 commits into
phaserjs:masterfrom
aomsir:fix/video-examples-cors

Conversation

@aomsir

@aomsir aomsir commented Nov 18, 2025

Copy link
Copy Markdown

Background

When video assets are served from a different origin, the examples may load successfully and play audio, but the video image fails to render in WebGL. Browsers then raise a SecurityError similar to:

Failed to execute 'texImage2D' on 'WebGLRenderingContext':
The video element contains cross-origin data, and may not be loaded.

This occurs because WebGL cannot upload video frames as textures unless the video element is initialized with a crossOrigin attribute and the resource is CORS-enabled.

Purpose of This Change

Adding this.load.setCORS('anonymous') ensures that the video element is created with the correct cross-origin configuration. This prevents the WebGL SecurityError and allows video frames to render correctly when assets are hosted on different origins (local development, CDN setups, etc.).

Impact

  • No breaking changes.
  • No effect on same-origin setups.
  • Improves reliability of all video examples in common developer environments.

If further changes or adjustments are preferred, I can update the PR accordingly.


Note

Adds this.load.setCORS('anonymous') to video example preloaders so cross-origin videos render correctly in WebGL.

  • Video examples: Configure anonymous CORS for video assets
    • public/3.86/src/game objects/video/*:
      • Added this.load.setCORS('anonymous') in preload() across examples (change video source, get first video frame, loop video, multiple video instances, multiple videos, on complete event, play video, stream video from webcam, transparent video, video as shader texture, video controls, video set current time, video snapshot area, video snapshot, video to sprites, video transition).
    • public/3.55/src/game objects/video/play video.js:
      • Added this.load.setCORS('anonymous') before setting BaseURL.

Written by Cursor Bugbot for commit 9b6ead7. This will update automatically on new commits. Configure here.

- Add setCORS('anonymous') to all video examples that load from CDN (3.86, 3.55)
- Remove CORS settings from local video examples (3.24, public/src)
- Ensure proper video playback across different domains
@VIUK-XV

VIUK-XV commented Jun 30, 2026

Copy link
Copy Markdown

Thanks for the cleanup. One small question: should stream video from webcam.js be included in this change?

That example does not preload a video file; it uses navigator.mediaDevices.getUserMedia() and only preloads image assets from the CDN. Since setCORS('anonymous') applies to subsequent loader files, this change seems unrelated to the WebGL video texture issue described in the PR and may be better left out unless there is a specific image/CORS issue this also fixes.

@aomsir

aomsir commented Jun 30, 2026

Copy link
Copy Markdown
Author

Thanks for the cleanup. One small question: should stream video from webcam.js be included in this change?

That example does not preload a video file; it uses navigator.mediaDevices.getUserMedia() and only preloads image assets from the CDN. Since setCORS('anonymous') applies to subsequent loader files, this change seems unrelated to the WebGL video texture issue described in the PR and may be better left out unless there is a specific image/CORS issue this also fixes.

Confirmed — this example uses getUserMedia() rather than preloading a video file, so the loader CORS setting is unrelated to the cross-origin video texture issue described in this PR.

Removed it in 9f616d2 to keep the scope focused on CDN-loaded video files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants