- From: L. David Baron via GitHub <sysbot+gh@w3.org>
- Date: Tue, 30 May 2017 22:29:49 +0000
- To: public-css-archive@w3.org
Other ways of using cross-domain images don't allow introspection into the contents of the image -- I think they only get access to the size. With a url-defined shape, the page gets access to a good bit of detail about the pixel data. There are pretty substantial security mechanisms in other parts of the Web platform (e.g., canvas tainting) to prevent this sort of information leakage from happening elsewhere. It's possible the details here need to be tuned (e.g., use of anonymous mode vs other existing options vs. the proposal in whatwg/fetch#517), but I think a CORS check does need to happen for cross-domain images. -- GitHub Notification of comment by dbaron Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1481#issuecomment-305027228 using your GitHub account
Received on Tuesday, 30 May 2017 22:29:56 UTC