Polotno Docs
Misc

How to Resolve CORS Issues

Configure servers and image tags to avoid CORS errors when loading images into Polotno

In order to load images into the canvas element, Polotno sets the crossOrigin attribute to anonymous by default. In some configurations you may see an error like this:

Access to image at 'http://example.com/image.jpg' from origin 'http://your-domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Here's the fix:

1. Make sure assets are served with CORS headers

First, ensure that the server hosting your images allows CORS requests. If you control the server, add the header Access-Control-Allow-Origin: * to the response.

If you use an S3 bucket, enable CORS in the bucket settings. See AWS docs: https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html

2. Make sure all images have crossOrigin attribute

Before adding images into the canvas, you may want to display them somewhere else in your application UI (e.g., a side panel or pre‑editor step). Make sure that all images have the crossOrigin attribute set to anonymous. For example, if you use an img tag:

<img src="http://example.com/image.jpg" crossOrigin="anonymous" />

Explanation: if you load the same image in the same browsing session without the crossOrigin attribute, and later load it with crossOrigin, the browser will enforce CORS because it was initially fetched without the expected setting. Always include crossOrigin="anonymous" consistently.