W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > October 2011

[Bug 14056] Please change 4.8.11.2 Security with canvas elements to respect CORS

From: <bugzilla@jessica.w3.org>
Date: Fri, 21 Oct 2011 00:17:05 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1RH2nJ-0002T2-Vi@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=14056

Ben Adams <gmthundercat@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WORKSFORME                  |

--- Comment #7 from Ben Adams <gmthundercat@gmail.com> 2011-10-21 00:17:05 UTC ---
(In reply to comment #6)
> EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are
> satisfied with this response, please change the state of this bug to CLOSED. If
> you have additional information and would like the editor to reconsider, please
> reopen this bug. If you would like to escalate the issue to the full HTML
> Working Group, please add the TrackerRequest keyword to this bug, and suggest
> title and text for the tracker issue; or you may create a tracker issue
> yourself, if you are able to do so. For more details, see this document:
>    http://dev.w3.org/html5/decision-policy/decision-policy.html
> 
> Status: Accepted
> Change Description: no spec change
> Rationale: This seems to have been fixed already, as noted by bz above. Please
> let me know if there is anything I can do in the spec to make this clearer.

The fix was only for 3d canvas in Firefox. As shown by this link
http://www.illyriad.co.uk/CORSTest.htm

As all browsers other than Chrome fail when using toDataURL on 2d canvas when
cross-domain images and valid CORS headers are used, I was hoping it could be
made clearer in the spec (since it is _so_ widespread).

Perhaps a caveat in the same-origin section to say be aware to pay attention to
CORS when something fails the same-orgin test before applying security
restrictions. Or in the Security with canvas elements to explicitly state to
pay attention to CORS when setting the orgin-clean flag to false?

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Friday, 21 October 2011 00:17:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:02:06 UTC