W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > November 2010

[Bug 11203] Canvas security model does not allow for same-origin relaxation

From: <bugzilla@jessica.w3.org>
Date: Wed, 03 Nov 2010 16:45:19 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PDgSd-0000e9-Mm@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11203

--- Comment #7 from Matt Schemmel <matt.schemmel@gmail.com> 2010-11-03 16:45:19 UTC ---
I see what you're saying - static resources don't have anyway to handshake
their participation in the sharing.

I understand the reasoning, but it still seems a little strange. Since at least
the Mozilla UA distinguishes between specified and inferred domains, this
effectively means that document.domain and canvas are mutually incompatible
until full CORS support is implemented.

It feels like there might be room for a pragmatic solution that allowed
client-side script-based "promotion" of static resources to ancestral domains
of the resource's own origin... but, yeah, I can see that that's a can of worms
maybe best left unopened.

Maybe it makes sense to at least update the HTML5 spec to make the implicit
dependency on CORS explicit? It looks like there was some early discussion of
the same already...
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-March/018863.html

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 3 November 2010 16:45:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 3 November 2010 16:45:22 GMT