W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2009

[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests

From: Hans Schmucker <hansschmucker@gmail.com>
Date: Sat, 14 Mar 2009 14:00:14 +0100
Message-ID: <f7458d480903140600g1f78d915gcd06657550cdbb21@mail.gmail.com>
Doesn't that kind of defeat the purpose of access control to have fine
grained control over who is allowed access? Public resources are a
quick fix for most scenarios that I can imagine, but I think using
patterns would appear more consistent and logical to most users. It
may not be terribly useful, but it would avoid a few embarassing
moments for people who use access control.

On 3/14/09, Robert O'Callahan <robert at ocallahan.org> wrote:
> On Sat, Mar 14, 2009 at 12:53 PM, Hans Schmucker
> <hansschmucker at gmail.com>wrote:
>
>> Question is: what would be the best way to fix it? Of course the spec
>> could be changed for video and image, but wouldn't it be simpler to
>> update the defintion of origins to include patterns that can represent
>> allow rules?
>>
>
> I don't think changing the definition of origins is the right way to go. It
> seems better to define a category of "public" resources, specify that a
> resource served with "Access-Control-Allow-Origin: *" is "public", and have
> <canvas.> treat public resources specially.
>
> Rob
> --
> "He was pierced for our transgressions, he was crushed for our iniquities;
> the punishment that brought us peace was upon him, and by his wounds we are
> healed. We all, like sheep, have gone astray, each of us has turned to his
> own way; and the LORD has laid on him the iniquity of us all." [Isaiah
> 53:5-6]
>
Received on Saturday, 14 March 2009 06:00:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:47:49 GMT