[WASM] Use crossorigin="anonymous" if web image fails to load

[MartinZikmund]

Current behavior

Currently when Image source is a HTTPS URL, it will fail to load in case crossorigin attribute is not set to anonymous due to Cross-Origin-Embedder-Policy header.

<StackPanel Padding="40">
        <Image Width="50" Height="50" Source="https://i.postimg.cc/rpRG3S21/screenshot-195.png"></Image>
        <BitmapIcon Height="50" Width="50" UriSource="https://img.icons8.com/material/96/000000/positive-dynamic--v1.png"/>
</StackPanel>

Expected behavior

If the image fails to load due to CORS, we should retry with crossorigin = anonymous added. This is now needed since the Cross-Origin-Embedder-Policy header is used to enable threading

How to reproduce it (as minimally and precisely as possible)

No response

Workaround

No response

Works on UWP/WinUI

Yes

Environment

No response

NuGet package version(s)

No response

Affected platforms

No response

IDE

No response

IDE version

No response

Relevant plugins

No response

Anything else we need to know?

No response

[jeromelaban]

Cross-origin settings are required when using threading, but also were incorrectly set when using an earlier version of the bootstrapper (fixed in unoplatform/Uno.Wasm.Bootstrap#602).

That being said, that particular attribute could be set on images when threading is enabled, yet it may be a security risk as it disables what the secure mode is enabling. We may need to have a feature flag for this.

[nickodei]

That being said, that particular attribute could be set on images when threading is enabled, yet it may be a security risk as it disables what the secure mode is enabling. We may need to have a feature flag for this.

So what is the best way to approach this issue? Should it be enabled if threading is enabled, or completely disabled because of the security risk or does it need to be behind a feature flag? I could look at this issue but this needs to be clarified prior to someone working on it.