Media: Remove IMG from crossorigin attribute injection

[adamsilverstein]

Trac ticket: https://core.trac.wordpress.org/ticket/64886

Related Gutenberg issue: WordPress/gutenberg#76476

Description

Removes IMG from the list of elements that receive crossorigin="anonymous" in wp_add_crossorigin_attributes(). Also removes the related imagesrcset handling from LINK elements.

Under Document-Isolation-Policy: isolate-and-credentialless (introduced in r61844), the browser's credentialless mode already handles cross-origin image loading without requiring CORS headers on the remote server. Explicitly adding crossorigin="anonymous" to <img> elements overrides this behavior and forces a CORS preflight — breaking images from servers that don't include Access-Control-Allow-Origin in their response headers.

This causes image previews to break in the block editor sidebar when an image block references an external URL (e.g. https://placehold.jp/1024x768.jpg).

Related Gutenberg PR: WordPress/gutenberg#76618

Changes

• Remove IMG entry from $cross_origin_tag_attributes in wp_add_crossorigin_attributes()
• Remove imagesrcset from LINK entry (used for <link> preload tags for images — same issue)
• Update existing test to use <script> instead of <img> for the positive case
• Add new test asserting <img> does NOT get crossorigin="anonymous"

Testing

1. Open block editor in Chromium 137+
2. Add an Image block → "Insert from URL" → https://placehold.jp/1024x768.jpg
3. Sidebar preview should render correctly (no CORS error)
4. Verify Document-Isolation-Policy: isolate-and-credentialless header is still sent
5. Drag an image from desktop onto the editor — client-side media processing still works

---

Commit message

Media: Remove `IMG` from crossorigin attribute injection.

Under `Document-Isolation-Policy: isolate-and-credentialless`, the browser's credentialless mode already handles cross-origin image loading without requiring CORS headers. Explicitly adding `crossorigin="anonymous"` to `<img>` elements overrides this behavior and forces a CORS preflight request, breaking images from servers that don't include `Access-Control-Allow-Origin` in their response headers.

This also removes the related `imagesrcset` handling from `LINK` elements, which had the same issue for `<link>` preload tags for images.

See related Gutenberg issue: https://github.com/WordPress/gutenberg/issues/76476.

Follow-up to [61844], [61846].

Props adamsilverstein, swissspidy.
Fixes #64886.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props adamsilverstein, swissspidy, westonruter.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

[adamsilverstein]

Added a proposed commit message to the PR description.

[westonruter]

Why are images the one exception that don't need crossorign=anonymous? Why do VIDEO, AUDIO, et al specifically require it?

[westonruter]

Suggested change

	public function test_output_buffer_adds_crossorigin( $html ) {
	public function test_output_buffer_adds_crossorigin( string $html ) {

[westonruter]

Suggested change

	* @return array[]
	*/
	public function data_elements_that_should_get_crossorigin() {
	* @return array<string, array{ 0: string }>
	*/
	public function data_elements_that_should_get_crossorigin(): array {

[westonruter]

Suggested change

	public function test_output_buffer_does_not_add_crossorigin( $html ) {
	public function test_output_buffer_does_not_add_crossorigin( string $html ) {

[andrewserong]

Thanks for handling the change here! The code change looks good, and I think we'll only be able to confirm in the block editor once WordPress/gutenberg#76618 is included in the next Gutenberg sha bump.

LGTM 🚀

[github-actions]

A commit was made that fixes the Trac ticket referenced in the description of this pull request.

SVN changeset: 62048
GitHub commit: 5f16124

This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.