W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2013

Re: [whatwg] Adding crossorigin="" to more elements

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 17 Jun 2013 07:50:38 -0400
Message-ID: <51BEF80E.9080906@mit.edu>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: whatwg <whatwg@whatwg.org>, Ian Hickson <ian@hixie.ch>, Adam Barth <abarth@eecs.berkeley.edu>
On 6/17/13 7:38 AM, Anne van Kesteren wrote:
> On Fri, Nov 30, 2012 at 11:47 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> Right.  My point was that "cross-origin" for the case of stylesheet at least
>> in Gecko depends on the origin of the script that tries to modify them, not
>> on the origin of the document that linked to them...
>
> Is there a good reason for this? This seems fairly distinct from how
> <img>, <script>, and <video> work.

Just in terms of considering effective script origins instead of origins?

<img> and <video> compare the origin of the canvas to the origin of the 
image/video, if you mean the security check I think you mean.  It 
explicitly doesn't use effective script origin because you can't set 
that on <img>.

<script>, if you mean the onerror checks, in Gecko checks whether the 
effective script origin of the window whose onerror is about to fire 
matches the origin of the script.  And we make the origin of the script 
an alias of the effective script origin of the document it's loaded into 
in cases when the script was either loaded no-cors or passed cors 
security checks.  What do other UAs do?

Again, the default security check in Gecko is always against effective 
script origin, so any check that predates a recent spec is always that 
way.  Whether there's a good reason for it needs to be checked on a 
case-by-case basis.

-Boris
Received on Monday, 17 June 2013 11:51:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:22 UTC