Without editing Cesium code, can I force image requests not to use the CORS header?

For a variety of reasons (I can provide details if it's germane to the solution) I need my Cesium instance to not include the Origin header with its imagery requests. I took a quick look through the code and saw an easy way to disable this if I edit change the default in loadImage.js.

I was wondering if there might be a way to change this default without actually needing to rebuild the source, as that would save me from needing to rebuild every time an update comes out.


Hey Jud,

There’s no way currently, but we could add one. I’d probably add a property to loadImage that, when set, forces the CORS header off. If you want to do that and open a pull request, I’ll review and merge it. You’ll have to sign a CLA or add a DCO, though. It’s not as scary as it sounds, details here: https://github.com/AnalyticalGraphicsInc/cesium/blob/master/CONTRIBUTING.md.

I am a little curious why you would need to turn off the CORS header, though. I wouldn’t mind hearing the details.


I am a little curious why you would need to turn off the CORS header, though. I wouldn't mind hearing the details.

The short answer is that our servers are using cookies to handle authentication, and when the CORS header is used the cookie is not included by the browser unless I configure our server properly. I could probably figure out how to do that, but I don't think my QA team is going to like seeing those directives in our config (especially if I just stick the typical Access-Control-Allow-Origin "*" in all responses. There's a reason the server is locked down.

Our use case would never involve cross-origin access, so it seems simpler to just make Cesium not do it.

Makes sense. Perhaps another approach is to modify loadImage (and similar methods) to skip the CORS header when the request is not cross-origin in the first place.

I believe there is cross-origin request detection logic in the TaskProcessor code already which can be refactored out.

I’ve opened a pull request to add the cross-origin request detection logic I mentioned to loadImage as well, so it only uses CORS headers when needed: