- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 29 Aug 2008 00:21:05 +0200
- To: "Dave Singer" <singer@apple.com>, public-html@w3.org
On Fri, 29 Aug 2008 00:09:00 +0200, Dave Singer <singer@apple.com> wrote: > I believe (and someone can correct me if I am wrong) that DOM access to > image/video meta-data is problematic beause of cross-site scripting: > e.g. you design a page which you persuade me to load, that manages to > load an apple-internal image (which you can't see but I can) which is > titled "iPhone 5G desktop model", and your scripts extract that info. > from the image and send it back to you.... Yeah, you would only do that for same origin resources or non same origin resources that have opted in using the Access Control for Cross-Site Requests specification. (See eg how <canvas>.drawImage() and <canvas>.toDataURL() interact with respect to that, although they don't use the Access Control for Cross-Site Requests specification (yet).) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 28 August 2008 22:21:33 UTC