- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sat, 24 Apr 2010 09:45:33 -0700
On Fri, Apr 23, 2010 at 5:56 PM, Anne van Kesteren <annevk at opera.com> wrote: > On Sat, 24 Apr 2010 04:04:57 +0900, Jonas Sicking <jonas at sicking.cc> wrote: >> >> This would require changes to both HTML and to CORS, but not too bad. >> And the result is significantly better as it doesn't require the user >> to get involved and decide what's safe and what's not. > > What changes to CORS would be required? It is designed to make this "just > work" so if anything is wrong I'd like to know. Specifically the "resource > sharing check" is what HTML would use here. Ah, I see that CORS doesn't require the network connection to be aborted even when the "cross-origin request status" reaches "network error". So it does indeed seem like all that's needed is for HTML to say that CORS should be used while fetching the image, and that if the resulting "cross-origin request status" is "success", then tainting doesn't happen when said image is drawn into a canvas. / Jonas
Received on Saturday, 24 April 2010 09:45:33 UTC