W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

[cors] Allow-Credentials vs Allow-Origin: * on image elements?

From: Charlie Reis <creis@chromium.org>
Date: Fri, 2 Jul 2010 14:05:41 -0700
Message-ID: <AANLkTinBgw1lV-0aSbFqznDdM3MXshon2cT9er4DbYKs@mail.gmail.com>
To: public-webapps@w3.org
Hi all--
  I'm trying to understand one of the example use cases in the CORS
specification and how the various rules about credentials apply, and I'm
wondering whether there's an issue to resolve.

  In the "Not tainting the canvas element" example at
http://dev.w3.org/2006/waf/access-control/#use-cases, it looks like the
images will be requested from http://narwhalart.example using <img> tags.
 If so, it's possible the user agent will send cookies on the GET request
for the images.

  If I understand correctly, that implies that the HTTP response would have
to include "Access-Control-Allow-Credentials: true," because cookies are
considered credentials.  However, I also see that providing
"Access-Control-Allow-Credentials: true" means that * cannot be used for
Access-Control-Allow-Origin.  The use case mentions that the server could
make the images accessible to all origins, though.

  Is the server allowed to omit the Access-Control-Allow-Credentials header
and use * for Access-Control-Allow-Origin, despite the presence of cookies
on the image's GET request?

  Also, what is the reason that * is not allowed for responses that allow
credentials?  I've seen it documented in several places, but I'm not sure
why that's the case.  In cases like images or perhaps web fonts, it seems
impractical to prevent credentials from being sent (unlike XmlHttpRequests).

  On a similar note, are the image's GET requests required to carry Origin
HTTP headers?

Thanks in advance,
Charlie Reis
Received on Monday, 5 July 2010 14:31:21 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:39 GMT