W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [cors] Allow-Credentials vs Allow-Origin: * on image elements?

From: Charlie Reis <creis@chromium.org>
Date: Wed, 7 Jul 2010 16:11:07 -0700
Message-ID: <AANLkTikaogbE_BbZ-TTOPR2GJIOhfMykO_UALVuK41Nm@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org
On Wed, Jul 7, 2010 at 4:04 PM, Mark S. Miller <erights@google.com> wrote:

> On Wed, Jul 7, 2010 at 1:09 PM, Charlie Reis <creis@chromium.org> wrote:
> [...]
>
>> That's unfortunate-- at least for now, that prevents servers from echoing
>> the origin in the Access-Control-Allow-Origin header, so servers cannot host
>> "public" images that don't taint canvases.  The same problem likely exists
>> for other types of requests that might adopt CORS, like fonts, etc.
>>
>
> Why would public images or fonts need credentials?
>

Because it's undesirable to prevent the browser from sending cookies on an
<img> request, and the user might have cookies for the image's site.  It's
typical for the browser to send cookies on such requests, and those are
considered a type of credentials by CORS.

Charlie



>
>
>>
>>
>>> I believe the plan is to change HTML5 once CORS is somewhat more stable
>>> and use it for various pieces of infrastructure there. At that point we can
>>> change <img> to transmit an Origin header with an origin. We could also
>>> decide to change CORS and allow the combination of * and the credentials
>>> flag being true. I think * is not too different from echoing back the value
>>> of a header.
>>>
>>>
>> I would second the proposal to allow * with credentials.  It seems roughly
>> equivalent to echoing back the Origin header, and it would allow CORS to
>> work on images and other types of requests without changes to HTML5.
>>
>> Thanks,
>> Charlie
>>
>>
>
>
> --
>     Cheers,
>     --MarkM
>
Received on Wednesday, 7 July 2010 23:12:20 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:39 GMT