W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > November 2010

[Bug 11203] Canvas security model does not allow for same-origin relaxation

From: <bugzilla@jessica.w3.org>
Date: Wed, 03 Nov 2010 02:51:31 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PDTRj-0006MF-Sz@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11203

--- Comment #6 from Boris Zbarsky <bzbarsky@mit.edu> 2010-11-03 02:51:31 UTC ---
The thing with scripts is that the relaxation can be done completely on the
client side: two scripts _both_ indicate that they want to relax the
restrictions, and they can talk to each other.

Here, we'd need the canvas and the image/video being drawn into it to _both_
indicate that they want to relax the restriction.  For the canvas, this can be
done client-side in script by setting document.domain.  But for the others,
there is no client-side anything happening; the relaxation needs to be either
in image metadata chunks or in the HTTP response from the server, right?

If you're not proposing the image itself be changed, then you're proposing some
configuration change to the HTTP response.  And if we're already doing that,
then that change might as well be to send the proper CORS headers instead of
inventing a new wheel that's attached the same way.  Or am I missing something?

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 3 November 2010 02:51:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 3 November 2010 02:51:34 GMT