W3C home > Mailing lists > Public > public-css-archive@w3.org > May 2017

Re: [csswg-drafts] [css-shapes] Reconsider CORS limitation in CSS Shapes

From: Amelia Bellamy-Royds via GitHub <sysbot+gh@w3.org>
Date: Wed, 31 May 2017 00:41:17 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-305048586-1496191275-sysbot+gh@w3.org>
I agree with Tab that shape-outside is equivalent to scripting access.  The only other option would be to "taint" access to the offset positions and size of all elements in the same flow-root as the floated object.

But maybe the spec could gain an informative note helping authors avoid issues?  For example, clearly warning that many browsers treat `file:` URLs as cross-origin.

>From my own experience, the biggest problem with CORS and shape-outside is that it can fail even if the server is set up to enable CORS.  If you are using the image for something else that _doesn't_ require CORS (e.g., as an `<img>`, background image, or mask image), the browser requests the file without CORS permissions, and then when it gets to `shape-outside` (or another property that does need CORS) it looks at the HTTP headers for the already-downloaded file & determines that it doesn't meet CORS.

Unfortunately, the nature of HTTP CORS doesn't make this easy to solve.  The server is only allowed to give permissions for one domain at a time, so most server settings only provide permission on request. 

So... one way to make things easier would be to push ahead with the `url()` modifier to allow authors to upgrade all image requests to ask for cross-origin permissions (which I'm sure I've seen specified somewhere, but I can't find it anymore).  That way, a `background-image` reference wouldn't break a `shape-outside` reference.

-- 
GitHub Notification of comment by AmeliaBR
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1481#issuecomment-305048586 using your GitHub account
Received on Wednesday, 31 May 2017 00:41:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 10:12:54 UTC