W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > September 2011

[Bug 14056] New: Please change 4.8.11.2 Security with canvas elements to respect CORS

From: <bugzilla@jessica.w3.org>
Date: Wed, 07 Sep 2011 04:35:14 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-14056-2486@http.www.w3.org/Bugs/Public/>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=14056

           Summary: Please change 4.8.11.2 Security with canvas elements
                    to respect CORS
           Product: HTML WG
           Version: unspecified
          Platform: PC
        OS/Version: Windows NT
            Status: NEW
          Severity: major
          Priority: P2
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: gmthundercat@gmail.com
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


In section: 4.8.11.2 Security with canvas elements

While the origin-clean flag is a very sensible addition; no provision has been
specified for CORS. This means if image downloads are parallelized across
subdomians or via a CDN for performance toDataURL is prevented by a security
execption due to the false origin-clean flag.

Which is very problematic...

Currently Chrome is the only browser that seems to respect CORS for canvas
toDataURL and maintaining the origin-clean flag as true.

This works by providing the two HTTP headers:

access-control-allow-origin:domain
access-control-allow-credentials:false

Can this be added to the HTML5 spec to hopefully cause greater adoption in
other browsers?

At the moment our method of handling this is to catch the exception and put up
a popup saying this functionality only works in Chrome; which isn't ideal.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 7 September 2011 04:35:15 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:18 UTC