W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [cors] Allow-Credentials vs Allow-Origin: * on image elements?

From: Dirk Pranke <dpranke@chromium.org>
Date: Wed, 7 Jul 2010 18:54:54 -0700
Message-ID: <AANLkTilzh75BqCLJKJjCLO_-gNYTdOQg3hkGzraVtsYP@mail.gmail.com>
To: Charlie Reis <creis@chromium.org>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org
On Wed, Jul 7, 2010 at 5:53 PM, Charlie Reis <creis@chromium.org> wrote:
> It's not just implementation effort-- as I mentioned, it's potentially a
> compatibility question.  If you are proposing not sending cookies on any
> cross-origin images (or other potential candidates for CORS), do you have
> any data about which sites that might affect?
> Personally, I would love to see cross-origin subresource requests change to
> not using cookies, but that could break existing web sites that include
> subresources from partner sites, etc.  Is there a proposal or discussion
> about this somewhere?

I believe we have discussed this in the past and been uncertain as to
whether or not this would break things on the web; we have very little
real-world data as to how CORS is currently being used (if at all). I
think I mentioned the possibility of instrumenting Chrome to look into
this, but haven't yet done so.

-- Dirk

> In the mean time, the canvas tainting example in the spec seems difficult to
> achieve.
> Charlie
>
>
> On Wed, Jul 7, 2010 at 5:05 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
>>
>> hmm, I think I quoted the wrong part of your email. I wanted to ask
>> why would it be undesirable to make CORS GET requests cookie-less. It
>> seems the argument here is reduction of implementation work. Is this
>> the only one? Note that even AnonXmlHttpRequest intends to make GET
>> requests cookie-less.
>>
>> Regards
>> devdatta
>>
>>
>> >
>> > I meant "undesirable" in that it will require much deeper changes to
>> > browsers.
>> > I wouldn't mind making it possible to request an image or other
>> > subresource
>> > without cookies, but I don't think there's currently a mechanism for
>> > that,
>> > is there?  And if there's consensus that user agents shouldn't send
>> > cookies
>> > at all on third party subresources, I'm ok with that, but I imagine
>> > there
>> > would be pushback on that sort of proposal-- it would likely affect
>> > compatibility with existing web sites.  I haven't gathered any data on
>> > it,
>> > though.
>> > The benefit to allowing * with credentials is that it lets CORS work
>> > with
>> > the existing browser request logic for images and other subresources,
>> > where
>> > cookies are currently sent with the request.
>> > Charlie
>> >
>> >>
>> >> On 7 July 2010 16:11, Charlie Reis <creis@chromium.org> wrote:
>> >> >
>> >> >
>> >> > On Wed, Jul 7, 2010 at 4:04 PM, Mark S. Miller <erights@google.com>
>> >> > wrote:
>> >> >>
>> >> >> On Wed, Jul 7, 2010 at 1:09 PM, Charlie Reis <creis@chromium.org>
>> >> >> wrote:
>> >> >> [...]
>> >> >>>
>> >> >>> That's unfortunate-- at least for now, that prevents servers from
>> >> >>> echoing
>> >> >>> the origin in the Access-Control-Allow-Origin header, so servers
>> >> >>> cannot host
>> >> >>> "public" images that don't taint canvases.  The same problem likely
>> >> >>> exists
>> >> >>> for other types of requests that might adopt CORS, like fonts, etc.
>> >> >>
>> >> >> Why would public images or fonts need credentials?
>> >> >
>> >> > Because it's undesirable to prevent the browser from sending cookies
>> >> > on
>> >> > an
>> >> > <img> request, and the user might have cookies for the image's site.
>> >> >  It's
>> >> > typical for the browser to send cookies on such requests, and those
>> >> > are
>> >> > considered a type of credentials by CORS.
>> >> > Charlie
>> >> >
>> >> >>
>> >> >>
>> >> >>>>
>> >> >>>> I believe the plan is to change HTML5 once CORS is somewhat more
>> >> >>>> stable
>> >> >>>> and use it for various pieces of infrastructure there. At that
>> >> >>>> point
>> >> >>>> we can
>> >> >>>> change <img> to transmit an Origin header with an origin. We could
>> >> >>>> also
>> >> >>>> decide to change CORS and allow the combination of * and the
>> >> >>>> credentials
>> >> >>>> flag being true. I think * is not too different from echoing back
>> >> >>>> the
>> >> >>>> value
>> >> >>>> of a header.
>> >> >>>>
>> >> >>>
>> >> >>> I would second the proposal to allow * with credentials.  It seems
>> >> >>> roughly equivalent to echoing back the Origin header, and it would
>> >> >>> allow
>> >> >>> CORS to work on images and other types of requests without changes
>> >> >>> to
>> >> >>> HTML5.
>> >> >>> Thanks,
>> >> >>> Charlie
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >>     Cheers,
>> >> >>     --MarkM
>> >> >
>> >> >
>> >
>> >
>
>
Received on Thursday, 8 July 2010 01:55:24 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:39 GMT