W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2009

[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests

From: Hans Schmucker <hansschmucker@gmail.com>
Date: Fri, 13 Mar 2009 17:24:23 +0100
Message-ID: <f7458d480903130924j6e0bbc3au86762bd4ddd679ff@mail.gmail.com>
This problem recently became apparent while trying to process a public
video on tinyvid.tv:

In article 4.8.11.3 "Security with canvas elements", the origin-clean
flag is only set depending on an element's origin. However there are
many scenarios where an image/video may actually be public and
actively allowing processing on other domains (as indicated by
Access-Control-Allow-Origin).

Is this an oversight or is there a specific reason why Access Control
for Cross-Site Requests should not work for Canvas?
Received on Friday, 13 March 2009 09:24:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:47:49 GMT