[Bug 12744] The crossdomain attribute named as such may prove an attractive talisman for copy-paste/cargocult authors, such that they start applying it on _any_ out of domain img regardless of CORS, especially when they see the no attribute string form <img crossdoma

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12744

Ian 'Hixie' Hickson <ian@hixie.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |ian@hixie.ch
         Resolution|                            |NEEDSINFO

--- Comment #4 from Ian 'Hixie' Hickson <ian@hixie.ch> 2011-08-31 23:50:42 UTC ---
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are
satisfied with this response, please change the state of this bug to CLOSED. If
you have additional information and would like the editor to reconsider, please
reopen this bug. If you would like to escalate the issue to the full HTML
Working Group, please add the TrackerRequest keyword to this bug, and suggest
title and text for the tracker issue; or you may create a tracker issue
yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Did Not Understand Request
Change Description: no spec change
Rationale: What's the attack scenario here? I would have set it implicitly on
all <img> elements if it wasn't for compatibility concerns, so I don't
understand why it would be bad for people to set it. In fact if anything, <img
crossdomain src="..."> is safer than <img src="..."> since it removes cookies
from the request.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 31 August 2011 23:50:45 UTC