On Fri, May 31, 2013 at 1:10 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, May 30, 2013 at 12:35 AM, Robert O'Callahan > <robert@ocallahan.org> wrote: > > Note that if we do this, we'll need to continue to apply an origin check > > when filter/mask/clip/use/pattern etc refer to an element in an external > > document, at the time they use the element. Anne, can we make regular > image > > loads record presence of an Access-Control-Allow-Origin header if the > server > > sends one, without causing the load to fail if it happens to be > cross-origin > > with no header? > > There's no such concept right now. You either opt into CORS or you get > a tainted cross-origin request which cannot be untainted. Note this > would also be problematic with respect to cookies, unless you'll do > something different for those than tainted cross-origin requests do. > OK then, I think we'd have to use a regular non-CORS request and apply strict same-origin checking at time of use. We could however mint a "cors-url(...)" CSS image value which does a CORS fetch and completely fails for cross-origin loads. Rob -- q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Thursday, 30 May 2013 13:34:59 UTC