W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

[whatwg] Adding crossorigin="" to more elements

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 29 Nov 2012 00:42:06 +0000 (UTC)
To: Robert Kieffer <broofa@fb.com>, Pablo Flouret <pablof@motorola.com>, Boris Zbarsky <bzbarsky@MIT.EDU>, "Tab Atkins Jr." <jackalmage@gmail.com>
Message-ID: <Pine.LNX.4.64.1211282306550.1991@ps20323.dreamhostps.com>
Cc: whatwg <whatwg@whatwg.org>
On Thu, 1 Mar 2012, Robert Kieffer wrote:
>
> For reasons documented in 
> https://bugzilla.mozilla.org/show_bug.cgi?id=696301, Iıd like to propose 
> that support for the ³crossorigin² attribute be added to SCRIPT tags.
> 
> tl;dr - When applied to window.onerror information, the same-origin 
> policy makes it near-impossible to host script resources on a CDN, while 
> simultaneously using window.onerror to gather information about JS 
> errors.

Done.


On Tue, 28 Aug 2012, Boris Zbarsky wrote:
>
> I just added support for <link rel="stylesheet" crossorigin> in 
> Gecko.[1] Such links are subject to CORS checks if the load is 
> cross-site, and the sheet load will fail if the CORS check fails.  If 
> the CORS check succeeds, script in the page will be able to script the 
> cross-site stylesheet.
> 
> This allows stylesheets served from a CDN to be scripted by the page if 
> desired, so I would like to propose that we add this feature to the 
> spec.

Done, at least on the HTML side. For now it just makes .sheet return null 
for cross-origin resources. If that's not quite right, please update this 
bug with the details:

   https://www.w3.org/Bugs/Public/show_bug.cgi?id=14703

...and I'll try to fix it when I update that part of the spec (the 
CSSOM/HTML coordination).


> An open issue: what to do about @import?  I haven't done anything magic 
> here yet.  Inheriting the CORS mode from the importing sheet is a bit 
> weird, and I wasn't quite sure I wanted to make CSS syntax changes at 
> this time.

Inheriting the mode isn't so bad, all it really does is decide whether or 
not to send an Origin header.


On Tue, 28 Aug 2012, Boris Zbarsky wrote:
> 
> If the CORS mode is inherited from the importing sheet, then I think the 
> "origin" for the fetch should be the page, not the importing sheet, 
> since the page is what would get access to the stylesheet data.

Right, the origin of the importing sheet in this situation is the origin 
of the page that imported it, not the origin of its URL. That's what CORS 
does, it changes the effective origin of a resource from being the origin 
its URL would suggest it had, to being the origin of its caller.


> Maybe this is OK, but it's non-obvious; usually for security purposes 
> the importing sheet is what affects things like can-load checks, Referer 
> headers, etc.

Presumably a CORS-same-origin sheet would use the security characteristics 
of the page, since the page can make the style sheet dance as if it was 
its puppet.

Anyway, that part of it belongs in CSS/CSSOM.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 29 November 2012 00:47:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT