- From: <bugzilla@jessica.w3.org>
- Date: Thu, 23 Jun 2011 22:23:19 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888 Shelley Powers <shelleyp@burningbird.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |TrackerRequest --- Comment #18 from Shelley Powers <shelleyp@burningbird.net> 2011-06-23 22:23:17 UTC --- I'm told there's a rule in the HTML WG that those outside the group cannot request for a change to be reverted. That means another tracker issue. I also noticed a new email[1] that just adding the TrackerRequest keyword is no longer sufficient. All of these new and changing rules do make it extremely difficult for people to provide the commentary that the group supposedly has asked for with Last Call. Be that as it may be, following is my TrackerRequest title and purpose: Title: Remove the crossorigin and CORS normative dependency from the HTML WG. Purpose: Recently the editor added an attribute, crossorigin, as well as a normative dependency on the CORS (Cross-Origin Resource Sharing) specification to the HTML5 specification. He did not do in answer to any bug submitted to the W3C bugzilla database, nor based on any request emailed to the group. Only by reverse engineering the documentation for the change are we made aware that this request came about because of a request from someone supposedly related to the WebGL effort. This request was made based on feedback from various security groups about the insecurity of WebGL, specifically one security issue related to the access of images and videos from domains outside of the domain serving the web page (same source). This change does not "fix" the problem related to WebGL--in actuality, the security vulnerability still exists. What this problem does is more or less just shove the responsibility for the problems off the software implementation and on to the application developers. This solution makes several assumptions, not the least of which that it provides a safe way to fulfill the original use cases given within the WebGL for supporting cross-domain resource access for texture use. Originally, WebGL restricted cross-domain resource access for textures, most likely because of security concerns. However, after exploring the original use cases given for adding cross-domain resource access(such as using an ad from an ad service to embed an image into a 3D world, or using images served up at Flickr or AWS), there is no guarantee that this solution will fix the problem. Why? Because those serving the remote resources must also agree to the use of CORS, and I know for a fact that at least one of the services has already expressed reluctance to do so (AWS). Point of fact, I'm not sure any service is going to be willing to incorporate a functionality that is meant to bypass security protocols, for a technology group delivering a product that at least two security organizations have recommended against. In addition, the addition of crossorigin also created a normative dependency in HTML for the CORS specification, which is, itself, a draft specification not currently robust enough for Last Call status. Though CORS was listed as a reference in the LC HTML5 document, I don't believe there was a normative dependency in the HTML5 specification for CORs previous to this. Hard to say, since HTML5 is such a large and far reaching document. My time right now is limited, but I believe I'll also have other strong technical objections to submit against crossorigin in the near future. For now, this will have to do. Not part of the Tracker issue and just a general note: It would help to have an actual bug that someone submitted asking for crossorigin, including actual technical reasons why this functionality is needed, and _why no other solution is viable_. I don't believe the latter was ever answered--at the WHATWG, or here in the W3C. It would help to also know if any other group other than WebGL expressly needs this attribute. Considering that the editor's employer is a big backer of WebGL, I can't help wondering if the editor would be as willing to modify HTML5 if another group--say Adobe or Microsoft--asked for something specifically because of security concerns about any of their products. -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
Received on Thursday, 23 June 2011 22:23:25 UTC