- From: Amelia Bellamy-Royds via GitHub <sysbot+gh@w3.org>
- Date: Wed, 31 May 2017 00:41:17 +0000
- To: public-css-archive@w3.org
I agree with Tab that shape-outside is equivalent to scripting access. The only other option would be to "taint" access to the offset positions and size of all elements in the same flow-root as the floated object. But maybe the spec could gain an informative note helping authors avoid issues? For example, clearly warning that many browsers treat `file:` URLs as cross-origin. >From my own experience, the biggest problem with CORS and shape-outside is that it can fail even if the server is set up to enable CORS. If you are using the image for something else that _doesn't_ require CORS (e.g., as an `<img>`, background image, or mask image), the browser requests the file without CORS permissions, and then when it gets to `shape-outside` (or another property that does need CORS) it looks at the HTTP headers for the already-downloaded file & determines that it doesn't meet CORS. Unfortunately, the nature of HTTP CORS doesn't make this easy to solve. The server is only allowed to give permissions for one domain at a time, so most server settings only provide permission on request. So... one way to make things easier would be to push ahead with the `url()` modifier to allow authors to upgrade all image requests to ask for cross-origin permissions (which I'm sure I've seen specified somewhere, but I can't find it anymore). That way, a `background-image` reference wouldn't break a `shape-outside` reference. -- GitHub Notification of comment by AmeliaBR Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1481#issuecomment-305048586 using your GitHub account
Received on Wednesday, 31 May 2017 00:41:24 UTC