W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2009

[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 13 Mar 2009 10:59:18 -0700
Message-ID: <63df84f0903131059m41546613t36b1ee6628eaacf4@mail.gmail.com>
On Fri, Mar 13, 2009 at 9:24 AM, Hans Schmucker <hansschmucker at gmail.com> wrote:
> This problem recently became apparent while trying to process a public
> video on tinyvid.tv:
>
> In article 4.8.11.3 "Security with canvas elements", the origin-clean
> flag is only set depending on an element's origin. However there are
> many scenarios where an image/video may actually be public and
> actively allowing processing on other domains (as indicated by
> Access-Control-Allow-Origin).
>
> Is this an oversight or is there a specific reason why Access Control
> for Cross-Site Requests should not work for Canvas?

I think it's because the majority of the <canvas> spec was developed
before the Access Control spec existed. Or at least before it had the
ability to work on images (originally it only worked on XML data).

/ Jonas
Received on Friday, 13 March 2009 10:59:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:47:49 GMT