According to the CORS W3C specification, its up to the web client In the current implementation of the User class, the @CrossOrigin annotation only allows cross-origin HTTP requests from a single origin. (like Curl/Wget/Burp suite/) to change/override the Origin header You can customize this behavior by specifying the value of one of the following annotation . By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. The key is to use the crossorigin attribute by setting crossOrigin on the HTMLImageElement into which the image will be loaded. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions. Thank you for your interest in Tenable.asm. However, for concerns, there is indeed this Safari issue you mentioned, and also the fact that every request made with the crossOrigin attribute is a two steps request : First the browser makes a . Understanding Cross-Origin Resource Sharing Vulnerabilities.