URL incorrectly concatenated with timestamp parameter

[imdap]

Cropper version

1.6.2

Link to minimal reproduction

null

Steps to reproduce

The private bucket link returned by minio, such as https://img.com/img?sign=xxxxx, would be incorrectly concatenated with timestamp, causing the sign to become invalid. The sign is calculated based on the URL parameters.

at cropperjs/src/js/cropper.js

// line 166
    if (options.checkCrossOrigin && isCrossOriginURL(url) && element.crossOrigin) {
      url = addTimestamp(url);
    }

// line 210
if (this.options.checkCrossOrigin && isCrossOriginURL(url)) {
      if (!crossOrigin) {
        crossOrigin = 'anonymous';
      }

      // Bust cache when there is not a "crossOrigin" property (#519)
      crossOriginUrl = addTimestamp(url);
    }

What is expected?

Provide a configuration option to confirm whether the timestamp parameter needs to be added?

What is actually happening?

Verification failed. Image cannot be loaded.

System Info

Any additional comments?

No response

[fengyuanchen]

Just set the checkCrossOrigin option to false.

[imdap]

I have tried the operation, but calling getCroppedCanvas().toBlob() brings up a new CORS issue.

Uncaught SecurityError: Failed to execute 'toBlob' on 'HTMLCanvasElement': Tainted canvases may not be exported.

I found the reason for this stack. https://stackoverflow.com/questions/22710627/tainted-canvases-may-not-be-exported

line 210

if (this.options.checkCrossOrigin && isCrossOriginURL(url)) {
    if (!crossOrigin) {
      // Here will resolve CORS, but the checkCrossOrigin configuration is already set to false, so the code will not execute to here.
      crossOrigin = 'anonymous';
    }

    // Bust cache when there is not a "crossOrigin" property (#519)
    crossOriginUrl = addTimestamp(url);
  }