hixie: First draft for working out how to use CORS with <img>, <video>, and <audio>. (whatwg r6142)

hixie: First draft for working out how to use CORS with <img>, <video>,
and <audio>. (whatwg r6142)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.4940&r2=1.4941&f=h
http://html5.org/tools/web-apps-tracker?from=6141&to=6142

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4940
retrieving revision 1.4941
diff -u -d -r1.4940 -r1.4941
--- Overview.html 16 May 2011 23:52:51 -0000 1.4940
+++ Overview.html 18 May 2011 01:09:39 -0000 1.4941
@@ -606,7 +606,8 @@
      <li><a href="#concept-http-equivalent"><span class="secno">2.7.1 </span>Protocol concepts</a></li>
      <li><a href="#encrypted-http-and-related-security-concerns"><span class="secno">2.7.2 </span>Encrypted HTTP and related security concerns</a></li>
      <li><a href="#content-type-sniffing"><span class="secno">2.7.3 </span>Determining the type of a resource</a></li>
-     <li><a href="#extracting-encodings-from-meta-elements"><span class="secno">2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></ol></li>
+     <li><a href="#extracting-encodings-from-meta-elements"><span class="secno">2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></li>
+     <li><a href="#cors-settings-attributes"><span class="secno">2.7.5 </span>CORS settings attributes</a></ol></li>
    <li><a href="#common-dom-interfaces"><span class="secno">2.8 </span>Common DOM interfaces</a>
     <ol>
      <li><a href="#reflecting-content-attributes-in-idl-attributes"><span class="secno">2.8.1 </span>Reflecting content attributes in IDL attributes</a></li>
@@ -3044,6 +3045,16 @@
 
    </dd>
 
+   <dt>CORS</dt>
+
+   <dd>
+
+    <p>The following terms are defined in the CORS specification:</p>
+
+    <ul class="brief"><li><dfn id="cross-origin-request">cross-origin request</dfn>
+     <li><dfn id="cross-origin-request-status">cross-origin request status</dfn>
+    </ul></dd>
+
    <dt>CSS modules</dt>
 
    <dd>
@@ -6271,7 +6282,23 @@
   that, historically, were related to HTTP, the syntax as supported by
   implementations diverged some time ago. <a href="#refsHTTP">[HTTP]</a></p>
 
-  </div><h3 id="common-dom-interfaces"><span class="secno">2.8 </span>Common DOM interfaces</h3><h4 id="reflecting-content-attributes-in-idl-attributes"><span class="secno">2.8.1 </span>Reflecting content attributes in IDL attributes</h4><p>Some IDL attributes are defined to <dfn id="reflect">reflect</dfn> a
+  </div><h4 id="cors-settings-attributes"><span class="secno">2.7.5 </span>CORS settings attributes</h4><p>A <dfn id="cors-settings-attribute">CORS settings attribute</dfn> is an <a href="#enumerated-attribute">enumerated
+  attribute</a>. The following table lists the keywords and states
+  for the attribute &mdash; the keywords in the left column map to the
+  states in the cell in the second column on the same row as the
+  keyword.<table><thead><tr><th> Keyword
+     <th> State
+     <th> Brief description
+   <tbody><tr><td><dfn id="attr-cross-origin-anonymous-keyword" title="attr-cross-origin-anonymous-keyword"><code>anonymous</code></dfn>
+     <td><dfn id="attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</dfn>
+     <td>Cross-origin CORS requests for the element will not have the <i>credentials flag</i> set.
+    <tr><td><dfn id="attr-cross-origin-use-credentials-keyword" title="attr-cross-origin-use-credentials-keyword"><code>use-credentials</code></dfn>
+     <td><dfn id="attr-cross-origin-use-credentials" title="attr-cross-origin-use-credentials">Use Credentials</dfn>
+     <td>Cross-origin CORS requests for the element will have the <i>credentials flag</i> set.
+  </table><p>The empty string is also a valid keyword, and maps to the <a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a> state. The
+  attribute's <i>invalid value default</i> is the <a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a> state. The
+  <i>missing value default</i>, used when the attribute is omitted, is
+  the <dfn id="attr-cross-origin-none" title="attr-cross-origin-none">No CORS</dfn> state.<h3 id="common-dom-interfaces"><span class="secno">2.8 </span>Common DOM interfaces</h3><h4 id="reflecting-content-attributes-in-idl-attributes"><span class="secno">2.8.1 </span>Reflecting content attributes in IDL attributes</h4><p>Some IDL attributes are defined to <dfn id="reflect">reflect</dfn> a
   particular content attribute. This means that on getting, the IDL
   attribute returns the current value of the content attribute, and on
   setting, the IDL attribute changes the value of the content
@@ -18415,6 +18442,7 @@
    <dd><a href="#global-attributes">Global attributes</a></dd>
    <dd><code title="attr-img-alt"><a href="#attr-img-alt">alt</a></code></dd>
    <dd><code title="attr-img-src"><a href="#attr-img-src">src</a></code></dd>
+   <dd><code title="attr-img-cross-origin"><a href="#attr-img-cross-origin">cross-origin</a></code></dd>
    <dd><code title="attr-hyperlink-usemap"><a href="#attr-hyperlink-usemap">usemap</a></code></dd>
    <dd><code title="attr-img-ismap"><a href="#attr-img-ismap">ismap</a></code></dd>
    <dd><code title="attr-dim-width"><a href="#attr-dim-width">width</a></code></dd>
@@ -18427,6 +18455,7 @@
 interface <dfn id="htmlimageelement">HTMLImageElement</dfn> : <a href="#htmlelement">HTMLElement</a> {
            attribute DOMString <a href="#dom-img-alt" title="dom-img-alt">alt</a>;
            attribute DOMString <a href="#dom-img-src" title="dom-img-src">src</a>;
+           attribute DOMString <a href="#dom-img-crossorigin" title="dom-img-crossOrigin">crossOrigin</a>;
            attribute DOMString <a href="#dom-img-usemap" title="dom-img-useMap">useMap</a>;
            attribute boolean <a href="#dom-img-ismap" title="dom-img-isMap">isMap</a>;
            attribute unsigned long <a href="#dom-img-width" title="dom-img-width">width</a>;
@@ -18454,7 +18483,8 @@
   section</a>.<p>The <code><a href="#the-img-element">img</a></code> element must not be used as a layout tool.
   In particular, <code><a href="#the-img-element">img</a></code> elements should not be used to
   display transparent images, as they rarely convey meaning and rarely
-  add anything useful to the document.<div class="impl">
+  add anything useful to the document.<p>The <dfn id="attr-img-cross-origin" title="attr-img-cross-origin"><code>cross-origin</code></dfn>
+  attribute is a <a href="#cors-settings-attribute">CORS settings attribute</a>.<div class="impl">
 
   <hr><p>An <code><a href="#the-img-element">img</a></code> is always in one of the following states:</p>
 
@@ -18517,10 +18547,32 @@
 
    <li>
 
-    <p>Otherwise, <a href="#resolve-a-url" title="resolve a url">resolve</a> the value
+    <p><a href="#resolve-a-url" title="resolve a url">Resolve</a> the value
     of the element's <code title="attr-img-src"><a href="#attr-img-src">src</a></code> attribute,
-    relative to the element, and, if that is successful,
-    <a href="#fetch">fetch</a> that resource.</p> 
+    relative to the element.</p>
+
+    <p>If that is not successful, abort these steps.</p>
+
+    <p>Otherwise, if the <a href="#origin">origin</a> of the resulting
+    <a href="#absolute-url">absolute URL</a> is not the <a href="#same-origin">same origin</a> as
+    the <code><a href="#the-img-element">img</a></code> element's <code><a href="#document">Document</a></code>'s
+    <a href="#origin">origin</a>, and the <code><a href="#the-img-element">img</a></code> element has a <code title="attr-img-cross-origin"><a href="#attr-img-cross-origin">cross-origin</a></code> attribute, then
+    perform a <a href="#cross-origin-request">cross-origin request</a>, with the <i>request
+    URL</i> set to the resulting <a href="#absolute-url">absolute URL</a>, the
+    <i>source origin</i> set to the <a href="#origin">origin</a> of the
+    <code><a href="#the-img-element">img</a></code> element's <code><a href="#document">Document</a></code>, and the
+    <i>credentials flag</i> set unless the <code title="attr-img-cross-origin"><a href="#attr-img-cross-origin">cross-origin</a></code> attribute is in
+    the <a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a>
+    state. Discard any data fetched in this way unless the
+    <a href="#cross-origin-request-status">cross-origin request status</a> is set to <i>success</i>.
+    If the <a href="#cross-origin-request-status">cross-origin request status</a> is set to
+    <i>success</i>, then the element's image data's
+    <a href="#origin">origin</a> is forced to be the <code><a href="#the-img-element">img</a></code> element's
+    <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>. <a href="#refsCORS">[CORS]</a></p> 
+
+    <p>Otherwise, <a href="#fetch">fetch</a> the resulting <a href="#absolute-url">absolute
+    URL</a>.</p> 
+
     <p>The resouce obtained in this fashion is the <code><a href="#the-img-element">img</a></code>
     element's image data.</p>
 
@@ -18742,10 +18794,20 @@
   with an <code title="attr-hyperlink-href"><a href="#attr-hyperlink-href">href</a></code> attribute.<p>The <code><a href="#the-img-element">img</a></code> element supports <a href="#dimension-attributes">dimension
   attributes</a>.<div class="impl">
 
-  <p>The IDL attributes <dfn id="dom-img-alt" title="dom-img-alt"><code>alt</code></dfn>, <dfn id="dom-img-src" title="dom-img-src"><code>src</code></dfn>, <dfn id="dom-img-usemap" title="dom-img-useMap"><code>useMap</code></dfn>, and <dfn id="dom-img-ismap" title="dom-img-isMap"><code>isMap</code></dfn> each must
+  <p>The <dfn id="dom-img-alt" title="dom-img-alt"><code>alt</code></dfn> and <dfn id="dom-img-src" title="dom-img-src"><code>src</code></dfn> IDL attributes must
   <a href="#reflect">reflect</a> the respective content attributes of the same
   name.</p>
 
+  <p>The <dfn id="dom-img-crossorigin" title="dom-img-crossOrigin"><code>crossOrigin</code></dfn> IDL
+  attribute must <a href="#reflect">reflect</a> the <code title="attr-img-cross-origin"><a href="#attr-img-cross-origin">cross-origin</a></code> content
+  attribute.</p>
+
+  <p>The <dfn id="dom-img-usemap" title="dom-img-useMap"><code>useMap</code></dfn> IDL
+  attribute must <a href="#reflect">reflect</a> the <code title="attr-img-usemap">usemap</code> content attribute.</p>
+
+  <p>The <dfn id="dom-img-ismap" title="dom-img-isMap"><code>isMap</code></dfn> IDL
+  attribute must <a href="#reflect">reflect</a> the <code title="attr-img-ismap"><a href="#attr-img-ismap">ismap</a></code> content attribute.</p>
+
   </div><dl class="domintro"><dt><var title="">image</var> . <code title="dom-img-width"><a href="#dom-img-width">width</a></code> [ = <var title="">value</var> ]</dt>
    <dt><var title="">image</var> . <code title="dom-img-height"><a href="#dom-img-height">height</a></code> [ = <var title="">value</var> ]</dt>
 
@@ -21302,6 +21364,7 @@
    <dt>Content attributes:</dt>
    <dd><a href="#global-attributes">Global attributes</a></dd>
    <dd><code title="attr-media-src"><a href="#attr-media-src">src</a></code></dd>
+   <dd><code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code></dd>
    <dd><code title="attr-video-poster"><a href="#attr-video-poster">poster</a></code></dd>
    <dd><code title="attr-media-preload"><a href="#attr-media-preload">preload</a></code></dd>
    <dd><code title="attr-media-autoplay"><a href="#attr-media-autoplay">autoplay</a></code></dd>
@@ -21577,6 +21640,7 @@
    <dt>Content attributes:</dt>
    <dd><a href="#global-attributes">Global attributes</a></dd>
    <dd><code title="attr-media-src"><a href="#attr-media-src">src</a></code></dd>
+   <dd><code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code></dd>
    <dd><code title="attr-media-preload"><a href="#attr-media-preload">preload</a></code></dd>
    <dd><code title="attr-media-autoplay"><a href="#attr-media-autoplay">autoplay</a></code></dd>
    <dd><code title="attr-media-mediagroup"><a href="#attr-media-mediagroup">mediagroup</a></code></dd>
@@ -21921,6 +21985,7 @@
   // network state
            attribute DOMString <a href="#dom-media-src" title="dom-media-src">src</a>;
   readonly attribute DOMString <a href="#dom-media-currentsrc" title="dom-media-currentSrc">currentSrc</a>;
+           attribute DOMString <a href="#dom-media-crossorigin" title="dom-media-crossOrigin">crossOrigin</a>;
   const unsigned short <a href="#dom-media-network_empty" title="dom-media-NETWORK_EMPTY">NETWORK_EMPTY</a> = 0;
   const unsigned short <a href="#dom-media-network_idle" title="dom-media-NETWORK_IDLE">NETWORK_IDLE</a> = 1;
   const unsigned short <a href="#dom-media-network_loading" title="dom-media-NETWORK_LOADING">NETWORK_LOADING</a> = 2;
@@ -21971,7 +22036,7 @@
   readonly attribute <a href="#exclusivetracklist">ExclusiveTrackList</a> <a href="#dom-media-videotracks" title="dom-media-videoTracks">videoTracks</a>;
   readonly attribute <a href="#texttrack">TextTrack</a>[] <a href="#dom-media-texttracks" title="dom-media-textTracks">textTracks</a>;
   <a href="#mutabletexttrack">MutableTextTrack</a> <a href="#dom-media-addtexttrack" title="dom-media-addTextTrack">addTextTrack</a>(in DOMString kind, in optional DOMString label, in optional DOMString language);
-};</pre><p>The <dfn id="media-element-attributes">media element attributes</dfn>, <code title="attr-media-src"><a href="#attr-media-src">src</a></code>, <code title="attr-media-preload"><a href="#attr-media-preload">preload</a></code>, <code title="attr-media-autoplay"><a href="#attr-media-autoplay">autoplay</a></code>, 
+};</pre><p>The <dfn id="media-element-attributes">media element attributes</dfn>, <code title="attr-media-src"><a href="#attr-media-src">src</a></code>, <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code>, <code title="attr-media-preload"><a href="#attr-media-preload">preload</a></code>, <code title="attr-media-autoplay"><a href="#attr-media-autoplay">autoplay</a></code>, 
   <code title="attr-media-mediagroup"><a href="#attr-media-mediagroup">mediagroup</a></code>, 
   <code title="attr-media-loop"><a href="#attr-media-loop">loop</a></code>,
   <code title="attr-media-muted"><a href="#attr-media-muted">muted</a></code>, and <code title="attr-media-controls"><a href="#attr-media-controls">controls</a></code>, apply to all <a href="#media-element" title="media element">media elements</a>. They are defined in
@@ -22066,7 +22131,9 @@
   attribute on <a href="#media-element" title="media element">media elements</a> gives
   the address of the media resource (video, audio) to show. The
   attribute, if present, must contain a <a href="#valid-non-empty-url-potentially-surrounded-by-spaces">valid non-empty
-  URL potentially surrounded by spaces</a>.<div class="impl">
+  URL potentially surrounded by spaces</a>.<p>The <dfn id="attr-media-cross-origin" title="attr-media-cross-origin"><code>cross-origin</code></dfn>
+  content attribute on <a href="#media-element" title="media element">media
+  elements</a> is a <a href="#cors-settings-attribute">CORS settings attribute</a>.<div class="impl">
 
   <p>If a <code title="attr-media-src"><a href="#attr-media-src">src</a></code> attribute of a
   <a href="#media-element">media element</a> is set or changed, the user agent must
@@ -22078,6 +22145,10 @@
   attribute on <a href="#media-element" title="media element">media elements</a> must
   <a href="#reflect">reflect</a> the content attribute of the same name.</p>
 
+  <p>The <dfn id="dom-media-crossorigin" title="dom-media-crossOrigin"><code>crossOrigin</code></dfn> IDL
+  attribute must <a href="#reflect">reflect</a> the <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> content
+  attribute.</p>
+
   </div><dl class="domintro"><dt><var title="">media</var> . <code title="dom-media-currentSrc"><a href="#dom-media-currentsrc">currentSrc</a></code></dt>
 
    <dd>
@@ -22619,7 +22690,23 @@
 
    <li>
 
-    <p>Begin to <a href="#fetch">fetch</a> the <var title="">current media
+    <p>If the <a href="#origin">origin</a> of <var title="">current media
+    resource</var>'s <a href="#absolute-url">absolute URL</a> is not the <a href="#same-origin">same
+    origin</a> as the <a href="#media-element">media element</a>'s
+    <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>, and the <a href="#media-element">media
+    element</a> has a <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> attribute,
+    then perform a <a href="#cross-origin-request">cross-origin request</a>, with the
+    <i>request URL</i> set to <var title="">current media
+    resource</var>'s <a href="#absolute-url">absolute URL</a>, the <i>source
+    origin</i> set to the <a href="#origin">origin</a> of the <a href="#media-element">media
+    element</a>'s <code><a href="#document">Document</a></code>, and the <i>credentials
+    flag</i> set unless the <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> attribute is
+    in the <a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a>
+    state. Discard any data fetched in this way unless the
+    <a href="#cross-origin-request-status">cross-origin request status</a> is set to <i>success</i>.
+    <a href="#refsCORS">[CORS]</a></p> 
+
+    <p>Otherwise, <a href="#fetch">fetch</a> the <var title="">current media
     resource</var>, from the <a href="#media-element">media element</a>'s
     <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>, with the <i>force
     same-origin flag</i> set.</p> 
@@ -22998,17 +23085,11 @@
 
      <dd>
 
-      <p>If the <a href="#media-resource">media resource</a>'s <a href="#origin">origin</a> is
-      the <a href="#same-origin">same origin</a> as the <a href="#media-element">media element</a>'s
-      <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>, <a href="#queue-a-task">queue a
-      task</a> to run the <a href="#steps-to-expose-a-media-resource-specific-text-track">steps to expose a
+      <p><a href="#queue-a-task">Queue a task</a> to run the <a href="#steps-to-expose-a-media-resource-specific-text-track">steps to expose a
       media-resource-specific text track</a> with the relevant
-      data.</p> <!-- CORS -->
+      data.</p>
 
-      <p class="note">Cross-origin files do not expose their subtitles
-      in the DOM, for security reasons. However, user agents may still
-      provide the user with access to such data in their user
-      interface.</p>
+      
 
      </dd>
 
@@ -25812,9 +25893,25 @@
 
    <li>
 
-    <p><i>Download</i>: If <var title="">URL</var> is not the empty
-    string, and its <a href="#origin">origin</a> is the same as the <a href="#media-element">media
-    element</a>'s <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>, then
+    <p><i>Download</i>: At this point, the text track is downloaded.</p>
+
+    <p>If <var title="">URL</var> is not the empty string, and its
+    <a href="#origin">origin</a> is not the <a href="#same-origin">same origin</a> as the
+    <a href="#media-element">media element</a>'s <code><a href="#document">Document</a></code>'s
+    <a href="#origin">origin</a>, and the <a href="#media-element">media element</a> has a
+    <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code>
+    attribute, then perform a <a href="#cross-origin-request">cross-origin request</a>, with
+    the <i>request URL</i> set to <var title="">URL</var>, the
+    <i>source origin</i> set to the <a href="#origin">origin</a> of the
+    <a href="#media-element">media element</a>'s <code><a href="#document">Document</a></code>, and the
+    <i>credentials flag</i> set unless the <a href="#media-element">media
+    element</a>'s <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> attribute is
+    in the <a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a>
+    state. Discard any data fetched in this way unless the
+    <a href="#cross-origin-request-status">cross-origin request status</a> is set to <i>success</i>.
+    <a href="#refsCORS">[CORS]</a></p> 
+
+    <p>Otherwise, if <var title="">URL</var> is not the empty string,
     <a href="#fetch">fetch</a> <var title="">URL</var>, from the <a href="#media-element">media
     element</a>'s <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>, with
     the <i>force same-origin flag</i> set.</p> 
@@ -26926,26 +27023,16 @@
 
   <hr><p>If a hostile page embeds victim content, the threat is that the
   embedding page could obtain information from the content that it
-  would not otherwise have access to. The API does expose some
-  information: the existence of the media, its type, its duration, its
-  size, and the performance characteristics of its host. Such
-  information is already potentially problematic, but in practice the
-  same information can more or less be obtained using the
-  <code><a href="#the-img-element">img</a></code> element, and so it has been deemed acceptable.</p>
-
-  <p>However, significantly more sensitive information could be
-  obtained if the user agent further exposes metadata within the
-  content such as subtitles or chapter titles. This version of the API
-  does not expose such information. Future extensions to this API will
-  likely reuse a mechanism such as CORS to check that the embedded
-  content's site has opted in to exposing such information. <a href="#refsCORS">[CORS]</a></p> 
+  would not otherwise have access to. To avoid this, the API will not
+  allow videos to be shown cross-origin unless the <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> attribute is
+  present and the remote server opts-in to cross-origin requsts. <a href="#refsCORS">[CORS]</a></p>
 
-  <p class="example">An attacker could trick a user running within a
-  corporate network into visiting a site that attempts to load a video
-  from a previously leaked location on the corporation's intranet. If
-  such a video included confidential plans for a new product, then
-  being able to read the subtitles would present a confidentiality
-  breach.</p>
+  <p class="example">Without this restriction, an attacker could trick
+  a user running within a corporate network into visiting a site that
+  attempts to load a video from a previously leaked location on the
+  corporation's intranet. If such a video included confidential plans
+  for a new product, then being able to read the subtitles would
+  present a serious confidentiality breach.</p>
 
   </div><h5 id="best-practices-for-authors-using-media-elements"><span class="secno">4.8.10.17 </span>Best practices for authors using media elements</h5><p><i>This section is non-normative.</i><p>Playing audio and video resources on small devices such as
   set-top boxes or mobile phones is often constrained by limited
@@ -43893,7 +43980,7 @@
    </dd>
 
 
-   <dt>For <code><a href="#document">Document</a></code> objects and images</dt>
+   <dt>For <code><a href="#document">Document</a></code> objects</dt>
 
    <dd>
 
@@ -43909,8 +43996,7 @@
      assigned when the <code><a href="#document">Document</a></code> is created.</dd>
 
 
-     <dt>If a <code><a href="#document">Document</a></code> or image was generated from a
-     <a href="#javascript-protocol" title="javascript protocol"><code>javascript:</code>
+     <dt>If a <code><a href="#document">Document</a></code> was generated from a <a href="#javascript-protocol" title="javascript protocol"><code>javascript:</code>
      URL</a></dt>
 
      <dd>The <a href="#origin">origin</a> is equal to the <a href="#origin">origin</a>
@@ -43918,31 +44004,25 @@
      protocol"><code>javascript:</code> URL</a>.</dd>
 
 
-     <dt>If a <code><a href="#document">Document</a></code> or image was served over the
-     network and has an address that uses a URL scheme with a
-     server-based naming authority</dt>
+     <dt>If a <code><a href="#document">Document</a></code> was served over the network and
+     has an address that uses a URL scheme with a server-based naming
+     authority</dt>
 
-     <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
-     <a href="#the-document-s-address" title="the document's address">address</a> of the
-     <code><a href="#document">Document</a></code> or the <a href="#url">URL</a> of the image, as
-     appropriate.</dd>
+     <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of
+     <a href="#the-document-s-address">the <code>Document</code>'s address</a>.</dd>
 
 
-     <dt>If a <code><a href="#document">Document</a></code> or image was generated from a
-     <a href="#data-protocol" title="data protocol"><code title="">data:</code>
-     URL</a> that was returned as the location of an HTTP redirect
-     (<a href="#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a>
-     in other protocols)</dt>
+     <dt>If a <code><a href="#document">Document</a></code> was generated from a <a href="#data-protocol" title="data protocol"><code title="">data:</code> URL</a> that
+     was returned as the location of an HTTP redirect (<a href="#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a> in
+     other protocols)</dt>
 
      <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
      <a href="#url">URL</a> that redirected to the <a href="#data-protocol" title="data
      protocol"><code title="">data:</code> URL</a>.</dd>
 
 
-     <dt>If a <code><a href="#document">Document</a></code> or image was generated from a
-     <a href="#data-protocol" title="data protocol"><code title="">data:</code>
-     URL</a> found in another <code><a href="#document">Document</a></code> or in a
-     script</dt>
+     <dt>If a <code><a href="#document">Document</a></code> was generated from a <a href="#data-protocol" title="data protocol"><code title="">data:</code> URL</a>
+     found in another <code><a href="#document">Document</a></code> or in a script</dt>
 
      <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
      <code><a href="#document">Document</a></code> or script that initiated the <a href="#navigate" title="navigate">navigation</a> to that <a href="#url">URL</a>.</dd>
@@ -43964,13 +44044,14 @@
      <code><a href="#document">Document</a></code>.</dd>
 
 
-     <dt>If a <code><a href="#document">Document</a></code> or image was obtained in some
-     other manner (e.g. a <a href="#data-protocol" title="data protocol"><code title="">data:</code> URL</a> typed in by the user, a
-     <code><a href="#document">Document</a></code> created using the <code title="dom-DOMImplementation-createDocument"><a href="#dom-domimplementation-createdocument">createDocument()</a></code>
+     <dt>If a <code><a href="#document">Document</a></code> was obtained in some other manner
+     (e.g. a <a href="#data-protocol" title="data protocol"><code title="">data:</code>
+     URL</a> typed in by the user, a <code><a href="#document">Document</a></code> created
+     using the <code title="dom-DOMImplementation-createDocument"><a href="#dom-domimplementation-createdocument">createDocument()</a></code>
      API, etc)</dt>
 
      <dd>The <a href="#origin">origin</a> is a globally unique identifier
-     assigned when the <code><a href="#document">Document</a></code> or image is created.</dd>
+     assigned when the <code><a href="#document">Document</a></code> is created.</dd>
 
     </dl><p>When a <code><a href="#document">Document</a></code> is created, its <a href="#effective-script-origin">effective
     script origin</a> is initialized to the <a href="#origin">origin</a> of
@@ -43980,18 +44061,61 @@
    </dd>
 
 
+   <dt>For images</dt>
+
+   <dd>
+
+    <dl class="switch"><dt>If an image is the image of an <code><a href="#the-img-element">img</a></code> element and
+     its image data has a forced origin</dt>
+
+     <dd>The <a href="#origin">origin</a> is the image data's forced origin.
+     (This occurs when the image was successfully obtained using
+     CORS.)</dd>
+
+
+     <dt>If an image was served over the network and has an address
+     that uses a URL scheme with a server-based naming authority</dt>
+
+     <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
+     image's <a href="#url">URL</a>.</dd>
+
+
+     <dt>If an image was generated from a <a href="#data-protocol" title="data
+     protocol"><code title="">data:</code> URL</a> that was
+     returned as the location of an HTTP redirect (<a href="#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a> in
+     other protocols)</dt>
+
+     <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
+     <a href="#url">URL</a> that redirected to the <a href="#data-protocol" title="data
+     protocol"><code title="">data:</code> URL</a>.</dd>
+
+
+     <dt>If an image was generated from a <a href="#data-protocol" title="data
+     protocol"><code title="">data:</code> URL</a> found in another
+     <code><a href="#document">Document</a></code> or in a script</dt>
+
+     <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
+     <code><a href="#document">Document</a></code> or script that loaded that image.</dd>
+
+
+     <dt>If an image was obtained in some other manner (e.g. a <a href="#data-protocol" title="data protocol"><code title="">data:</code> URL</a>
+     typed in by the user)</dt>
+
+     <dd>The <a href="#origin">origin</a> is a globally unique identifier
+     assigned when the image is created.</dd>
+
+    </dl></dd>
+
+
    <dt>For <code><a href="#the-audio-element">audio</a></code> and <code><a href="#the-video-element">video</a></code> elements</dt>
 
    <dd>
 
-    <p>If value of the <a href="#media-element">media element</a>'s <code title="dom-media-currentSrc"><a href="#dom-media-currentsrc">currentSrc</a></code> attribute is the
-    empty string, the <a href="#origin">origin</a> is the same as the
+    <p>The <a href="#origin">origin</a> is always the same as the
     <a href="#origin">origin</a> of the element's <code><a href="#document">Document</a></code>'s
-    <a href="#origin">origin</a>.</p>
-
-    <p>Otherwise, the <a href="#origin">origin</a> is equal to the
-    <a href="#origin">origin</a> of the <a href="#absolute-url">absolute URL</a> given by the
-    <a href="#media-element">media element</a>'s <code title="dom-media-currentSrc"><a href="#dom-media-currentsrc">currentSrc</a></code> attribute.</p>
+    <a href="#origin">origin</a>, as <a href="#media-resource" title="media resource">media
+    resources</a> cannot be fetched cross-origin without the
+    server's permission (using CORS).</p>
 
    </dd>
 
@@ -68193,6 +68317,7 @@
          <a href="#transparent">transparent</a>*</td>
      <td><a href="#global-attributes" title="global attributes">globals</a>;
          <code title="attr-media-src"><a href="#attr-media-src">src</a></code>;
+         <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code>;
          <code title="attr-media-preload"><a href="#attr-media-preload">preload</a></code>;
          <code title="attr-media-autoplay"><a href="#attr-media-autoplay">autoplay</a></code>;
          <code title="attr-media-mediagroup"><a href="#attr-media-mediagroup">mediagroup</a></code>;
@@ -68597,6 +68722,7 @@
      <td><a href="#global-attributes" title="global attributes">globals</a>;
          <code title="attr-img-alt"><a href="#attr-img-alt">alt</a></code>;
          <code title="attr-img-src"><a href="#attr-img-src">src</a></code>;
+         <code title="attr-img-cross-origin"><a href="#attr-img-cross-origin">cross-origin</a></code>;
          <code title="attr-hyperlink-usemap"><a href="#attr-hyperlink-usemap">usemap</a></code>;
          <code title="attr-img-ismap"><a href="#attr-img-ismap">ismap</a></code>;
          <code title="attr-dim-width"><a href="#attr-dim-width">width</a></code>;
@@ -69233,6 +69359,7 @@
          <a href="#transparent">transparent</a>*</td>
      <td><a href="#global-attributes" title="global attributes">globals</a>;
          <code title="attr-media-src"><a href="#attr-media-src">src</a></code>;
+         <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code>;
          <code title="attr-video-poster"><a href="#attr-video-poster">poster</a></code>;
          <code title="attr-media-preload"><a href="#attr-media-preload">preload</a></code>;
          <code title="attr-media-autoplay"><a href="#attr-media-autoplay">autoplay</a></code>;
@@ -69679,6 +69806,12 @@
      <td> <code title="attr-area-coords"><a href="#attr-area-coords">area</a></code>
      <td> Coordinates for the shape to be created in an <a href="#image-map">image map</a>
      <td> <a href="#valid-list-of-integers">Valid list of integers</a>*
+    <tr><th> <code title="">cross-origin</code>
+     <td> <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">audio</a></code>;
+          <code title="attr-img-cross-origin"><a href="#attr-img-cross-origin">img</a></code>;
+          <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">video</a></code>
+     <td> How the element handles cross-origin requests.
+     <td> "<code title="attr-cross-origin-anonymous-keyword"><a href="#attr-cross-origin-anonymous-keyword">anonymous</a></code>"; "<code title="attr-cross-origin-use-credentials-keyword"><a href="#attr-cross-origin-use-credentials-keyword">use-credentials</a></code>"
     <tr><th> <code title="">data</code>
      <td> <code title="attr-object-data"><a href="#attr-object-data">object</a></code>
      <td> Address of the resource

Received on Wednesday, 18 May 2011 01:12:43 UTC