[Bug 12888] the crossorigin attribute from bugzilla@jessica.w3.org on 2011-06-23 (public-html-bugzilla@w3.org from June 2011)

From: <bugzilla@jessica.w3.org>
Date: Thu, 23 Jun 2011 22:23:19 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1QZsIx-0002Iq-JK@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888

Shelley Powers <shelleyp@burningbird.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |TrackerRequest

--- Comment #18 from Shelley Powers <shelleyp@burningbird.net> 2011-06-23 22:23:17 UTC ---
I'm told there's a rule in the HTML WG that those outside the group cannot
request for a change to be reverted. 

That means another tracker issue. 

I also noticed a new email[1] that just adding the TrackerRequest keyword is no
longer sufficient. All of these new and changing rules do make it extremely
difficult for people to provide the commentary that the group supposedly has
asked for with Last Call. 

Be that as it may be, following is my TrackerRequest title and purpose:

Title: Remove the crossorigin and CORS normative dependency from the HTML WG.

Purpose: Recently the editor added an attribute, crossorigin, as well as a
normative dependency on the CORS (Cross-Origin Resource Sharing) specification
to the HTML5 specification. He did not do in answer to any bug submitted to the
W3C bugzilla database, nor based on any request emailed to the group. 

Only by reverse engineering the documentation for the change are we made aware
that this request came about because of a request from someone supposedly
related to the WebGL effort. This request was made based on feedback from
various security groups about the insecurity of WebGL, specifically one
security issue related to the access of images and videos from domains outside
of the domain serving the web page (same source).

This change does not "fix" the problem related to WebGL--in actuality, the
security vulnerability still exists. What this problem does is more or less
just shove the responsibility for the problems off the software implementation
and on to the application developers. 

This solution makes several assumptions, not the least of which that it
provides a safe way to fulfill the original use cases given within the WebGL
for supporting cross-domain resource access for texture use. Originally, WebGL
restricted cross-domain resource access for textures, most likely because of
security concerns. 

However, after exploring the original use cases given for adding cross-domain
resource access(such as using an ad from an ad service to embed an image into a
3D world, or using images served up at Flickr or AWS), there is no guarantee
that this solution will fix the problem. Why? Because those serving the remote
resources must also agree to the use of CORS, and I know for a fact that at
least one of the services has already expressed reluctance to do so (AWS). 

Point of fact, I'm not sure any service is going to be willing to incorporate a
functionality that is meant to bypass security protocols, for a technology
group delivering a product that at least two security organizations have
recommended against. 

In addition, the addition of crossorigin also created a normative dependency in
HTML for the CORS specification, which is, itself, a draft specification not
currently robust enough for Last Call status. Though CORS was listed as a
reference in the LC HTML5 document, I don't believe there was a normative
dependency in the HTML5 specification for CORs previous to this. Hard to say,
since HTML5 is such a large and far reaching document.

My time right now is limited, but I believe I'll also have other strong
technical objections to submit against crossorigin in the near future. For now,
this will have to do.

Not part of the Tracker issue and just a general note: 

It would help to have an actual bug that someone submitted asking for
crossorigin, including actual technical reasons why this functionality is
needed, and _why no other solution is viable_. I don't believe the latter was
ever answered--at the WHATWG, or here in the W3C. It would help to also know if
any other group other than WebGL expressly needs this attribute. 

Considering that the editor's employer is a big backer of WebGL, I can't help
wondering if the editor would be as willing to modify HTML5 if another
group--say Adobe or Microsoft--asked for something specifically because of
security concerns about any of their products.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Thursday, 23 June 2011 22:23:25 UTC