[Bug 12744] New: The crossdomain attribute named as such may prove an attractive talisman for copy-paste/cargocult authors, such that they start applying it on _any_ out of domain img regardless of CORS, especially when they see the no attribute string form <img crossdoma

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12744

           Summary: The crossdomain attribute named as such may prove an
                    attractive talisman for copy-paste/cargocult authors,
                    such that they start applying it on _any_ out of
                    domain img regardless of CORS, especially when they
                    see the no attribute string form <img crossdoma
           Product: HTML WG
           Version: unspecified
          Platform: Other
               URL: http://www.whatwg.org/specs/web-apps/current-work/#att
                    r-img-crossorigin
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P3
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: contributor@whatwg.org
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


Specification:
http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html
Section:
http://www.whatwg.org/specs/web-apps/current-work/#attr-img-crossorigin

Comment:
The crossdomain attribute named as such may prove an attractive talisman for
copy-paste/cargocult authors, such that they start applying it on _any_ out of
domain img regardless of CORS, especially when they see the no attribute
string form <img crossdomain src="..." /> which doesn't give the author any
semantic clue as to its real purpose.  Adding this attribute might not cause
visible breakage (if whoever is serving the image supports CORS), but it does
change the security attack surface of the application and should not be done
without reason.  Perhaps change the name of the attribute to something that
would not tempt authors to use it outside of CORS scenerios.  (Submitted by
Christian Iivari)

Posted from: 173.72.153.184
User agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 25 May 2011 00:10:43 UTC