hixie: Update how CORS works with <img> and <video> (and <audio> and <track>). (whatwg r6144)

hixie: Update how CORS works with <img> and <video> (and <audio> and
<track>). (whatwg r6144)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.4942&r2=1.4943&f=h
http://html5.org/tools/web-apps-tracker?from=6143&to=6144

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4942
retrieving revision 1.4943
diff -u -d -r1.4942 -r1.4943
--- Overview.html 20 May 2011 20:13:02 -0000 1.4942
+++ Overview.html 23 May 2011 20:43:07 -0000 1.4943
@@ -607,7 +607,8 @@
      <li><a href="#encrypted-http-and-related-security-concerns"><span class="secno">2.7.2 </span>Encrypted HTTP and related security concerns</a></li>
      <li><a href="#content-type-sniffing"><span class="secno">2.7.3 </span>Determining the type of a resource</a></li>
      <li><a href="#extracting-encodings-from-meta-elements"><span class="secno">2.7.4 </span>Extracting encodings from <code>meta</code> elements</a></li>
-     <li><a href="#cors-settings-attributes"><span class="secno">2.7.5 </span>CORS settings attributes</a></ol></li>
+     <li><a href="#cors-settings-attributes"><span class="secno">2.7.5 </span>CORS settings attributes</a></li>
+     <li><a href="#cors-enabled-fetch"><span class="secno">2.7.6 </span>CORS-enabled fetch</a></ol></li>
    <li><a href="#common-dom-interfaces"><span class="secno">2.8 </span>Common DOM interfaces</a>
     <ol>
      <li><a href="#reflecting-content-attributes-in-idl-attributes"><span class="secno">2.8.1 </span>Reflecting content attributes in IDL attributes</a></li>
@@ -3053,6 +3054,9 @@
 
     <ul class="brief"><li><dfn id="cross-origin-request">cross-origin request</dfn>
      <li><dfn id="cross-origin-request-status">cross-origin request status</dfn>
+     <li><dfn id="redirect-steps">redirect steps</dfn>
+     <li><dfn id="credential-flag">credential flag</dfn>
+     <li><dfn id="resource-sharing-check">resource sharing check</dfn>
     </ul></dd>
 
    <dt>CSS modules</dt>
@@ -6063,7 +6067,11 @@
      <dd>
 
       <p>Continue, using the fetched resource (the redirect) as the
-      result of the algorithm.</p>
+      result of the algorithm. If the calling algorithm subsequently
+      requires the user agent to <dfn id="transparently-follow-the-redirect">transparently follow the
+      redirect</dfn>, then the user agent must resume this algorithm
+      from the <i>main step</i>, but using the target of the redirect
+      as the resource to fetch, rather than the original resource.</p>
 
      </dd>
 
@@ -6298,7 +6306,159 @@
   </table><p>The empty string is also a valid keyword, and maps to the <a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a> state. The
   attribute's <i>invalid value default</i> is the <a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a> state. The
   <i>missing value default</i>, used when the attribute is omitted, is
-  the <dfn id="attr-cross-origin-none" title="attr-cross-origin-none">No CORS</dfn> state.<h3 id="common-dom-interfaces"><span class="secno">2.8 </span>Common DOM interfaces</h3><h4 id="reflecting-content-attributes-in-idl-attributes"><span class="secno">2.8.1 </span>Reflecting content attributes in IDL attributes</h4><p>Some IDL attributes are defined to <dfn id="reflect">reflect</dfn> a
+  the <dfn id="attr-cross-origin-none" title="attr-cross-origin-none">No CORS</dfn> state.<h4 id="cors-enabled-fetch"><span class="secno">2.7.6 </span>CORS-enabled fetch</h4><p>When the user agent is required to perform a <dfn id="potentially-cors-enabled-fetch">potentially
+  CORS-enabled fetch</dfn> of an <a href="#absolute-url">absolute URL</a> <var title="">URL</var>, with a mode <var title="">mode</var> that is
+  either "<a href="#attr-cross-origin-none" title="attr-cross-origin-none">No CORS</a>", "<a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a>", or "<a href="#attr-cross-origin-use-credentials" title="attr-cross-origin-use-credentials">Use Credentials</a>",
+  an <a href="#origin">origin</a> <var title="">origin</var>, and a default
+  origin behaviour <var title="">default</var> which is either
+  "<i>taint</i>" or "<i>fail</i>", it must run the first applicable
+  set of steps from the following list. The default origin behaviour
+  is only used if <var title="">mode</var> is "<a href="#attr-cross-origin-none" title="attr-cross-origin-none">No CORS</a>". This algorithm wraps
+  the <a href="#fetch">fetch</a> algorithm above, and labels the obtained
+  resource as either <dfn id="cors-same-origin">CORS-same-origin</dfn> or
+  <dfn id="cors-cross-origin">CORS-cross-origin</dfn>, or blocks the resource entirely.<dl class="switch"><dt>If <var title="">mode</var> is "<a href="#attr-cross-origin-none" title="attr-cross-origin-none">No CORS</a>"</dt>
+
+   <dd>
+
+    <p>Run these substeps:</p>
+
+    <ol><li><p>Let <var title="">result</var> have no value.</li>
+
+     <li><p><a href="#fetch">Fetch</a> <var title="">URL</var>, with the
+     <i>manual redirect flag</i> set.</li> 
+     <li><p><i>Loop</i>: Wait for the <a href="#fetch">fetch</a> algorithm
+     to know if the result is a redirect or not.</li>
+
+     <li>
+
+      <p>If the result of the <a href="#fetch">fetch</a> is a redirect, and
+      <var title="">result</var> still has no value, then apply the
+      CORS <a href="#redirect-steps">redirect steps</a>, with the CORS
+      <a href="#credential-flag">credential flag</a> set to true and the <i>request
+      rules</i> being that the user agent continue to follow these
+      steps. If this resumes the <a href="#fetch">fetch</a> algorithm, then
+      return to the <i>loop</i> step. If it failed due to a failure
+      of the CORS <a href="#resource-sharing-check">resource sharing check</a>, then: if <var title="">default</var> is <i>fail</i>, then set <var title="">result</var> to <i>fail</i> and jump to the step
+      labeled <i>end</i>; if <var title="">default</var> is
+      <i>taint</i>, then set <var title="">result</var> to
+      <i>taint</i>, <a href="#transparently-follow-the-redirect">transparently follow the redirect</a>
+      but with the <i>manual redirect flag</i> no longer set, and
+      jump to the step labeled <i>end</i> below.</p>
+
+      <p>Otherwise, if the resource is not available (e.g. there is
+      a network error) then set <var title="">result</var> to the
+      same value as <var title="">default</var>, and jump to the
+      step labeled <i>end</i> below.</p>
+
+      <p>Otherwise, perform a <a href="#resource-sharing-check">resource sharing check</a>,
+      with the CORS <a href="#credential-flag">credential flag</a> set to true. If it
+      returns fail, then set <var title="">result</var> to the same
+      value as <var title="">default</var>; otherwise, set <var title="">result</var> to <i>success</i>. Then, jump to the
+      step labeled <i>end</i> below.</p>
+
+     </li>
+
+     <li>
+
+      <p><i>End</i>: Jump to the appropriate step from the following
+      list:</p>
+
+      <dl class="switch"><dt>If <var title="">result</var> is <i>fail</i></dt>
+
+       <dd>
+
+        <p>Discard all fetched data and prevent any <a href="#concept-task" title="concept-task">tasks</a> from the <a href="#fetch">fetch</a>
+        algorithm from being <a href="#queue-a-task" title="queue a task">queued</a>.
+        For the purposes of the calling algorithm, the user agent must
+        act as if there was a fatal network error and no resource was
+        obtained. The user agent may report a cross-origin resource
+        access failure to the user (e.g. in a debugging console).</p>
+
+       </dd>
+
+       <dt>If <var title="">result</var> is <i>taint</i></dt>
+
+       <dd>
+
+        <p>Tbe <a href="#concept-task" title="concept-task">tasks</a> from the
+        <a href="#fetch">fetch</a> algorithm are <a href="#queue-a-task" title="queue a
+        task">queued</a> normally, but for the purposes of the
+        calling algorithm, the obtained resource is
+        <a href="#cors-cross-origin">CORS-cross-origin</a>. The user agent may report a
+        cross-origin resource access failure to the user (e.g. in a
+        debugging console).</p>
+
+       </dd>
+
+       <dt>If <var title="">result</var> is <i>success</i></dt>
+
+       <dd>
+
+        <p>Tbe <a href="#concept-task" title="concept-task">tasks</a> from the
+        <a href="#fetch">fetch</a> algorithm are <a href="#queue-a-task" title="queue a
+        task">queued</a> normally, and for the purposes of the
+        calling algorithm, the obtained resource is
+        <a href="#cors-same-origin">CORS-same-origin</a>.</p>
+
+       </dd>
+
+      </dl></li>
+
+    </ol></dd>
+
+
+   <dt>If <var title="">mode</var> is "<a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a>" or "<a href="#attr-cross-origin-use-credentials" title="attr-cross-origin-use-credentials">Use
+   Credentials</a>"</dt>
+
+   <dd>
+
+    <p>Run these steps:</p>
+
+    <ol><li><p>Perform a <a href="#cross-origin-request">cross-origin request</a> with the
+     <i>request URL</i> set to <var title="">URL</var>, the
+     <i>source origin</i> set to <var title="">origin</var>, and the
+     <i>credentials flag</i> set to true if <var title="">mode</var>
+     is "<a href="#attr-cross-origin-use-credentials" title="attr-cross-origin-use-credentials">Use
+     Credentials</a>" and set to false otherwise. <a href="#refsCORS">[CORS]</a></li>
+
+     <li><p>Wait for the CORS <a href="#cross-origin-request-status">cross-origin request status</a>
+     to have a value.</li>
+
+     <li>
+
+      <p>Jump to the appropriate step from the following list:</p>
+
+      <dl class="switch"><dt>If the CORS <a href="#cross-origin-request-status">cross-origin request status</a> is not <i>success</i></dt>
+
+       <dd>
+
+        <p>Discard all fetched data and prevent any <a href="#concept-task" title="concept-task">tasks</a> from the <a href="#fetch">fetch</a>
+        algorithm from being <a href="#queue-a-task" title="queue a task">queued</a>.
+        For the purposes of the calling algorithm, the user agent must
+        act as if there was a fatal network error and no resource was
+        obtained. If a CORS <a href="#resource-sharing-check">resource sharing check</a>
+        failed, the user agent may report a cross-origin resource
+        access failure to the user (e.g. in a debugging console).</p>
+
+       </dd>
+
+       <dt>If the CORS <a href="#cross-origin-request-status">cross-origin request status</a> is <i>success</i></dt>
+
+       <dd>
+
+        <p>Tbe <a href="#concept-task" title="concept-task">tasks</a> from the
+        <a href="#fetch">fetch</a> algorithm are <a href="#queue-a-task" title="queue a
+        task">queued</a> normally, and for the purposes of the
+        calling algorithm, the obtained resource is
+        <a href="#cors-same-origin">CORS-same-origin</a>.</p>
+
+       </dd>
+
+      </dl></li>
+
+    </ol></dd>
+
+  </dl><h3 id="common-dom-interfaces"><span class="secno">2.8 </span>Common DOM interfaces</h3><h4 id="reflecting-content-attributes-in-idl-attributes"><span class="secno">2.8.1 </span>Reflecting content attributes in IDL attributes</h4><p>Some IDL attributes are defined to <dfn id="reflect">reflect</dfn> a
   particular content attribute. This means that on getting, the IDL
   attribute returns the current value of the content attribute, and on
   setting, the IDL attribute changes the value of the content
@@ -18553,29 +18713,18 @@
 
     <p>If that is not successful, abort these steps.</p>
 
-    <p>Otherwise, if the <code><a href="#the-img-element">img</a></code> element has a <code title="attr-img-cross-origin"><a href="#attr-img-cross-origin">cross-origin</a></code> attribute, then
-    perform a <a href="#cross-origin-request">cross-origin request</a>, with the <i>request
-    URL</i> set to the resulting <a href="#absolute-url">absolute URL</a>, the
-    <i>source origin</i> set to the <a href="#origin">origin</a> of the
+    <p>Otherwise, do a <a href="#potentially-cors-enabled-fetch">potentially CORS-enabled fetch</a> of
+    the resulting <a href="#absolute-url">absolute URL</a>, with the <i>mode</i>
+    being the state of the element's <code title="attr-img-cross-origin"><a href="#attr-img-cross-origin">cross-origin</a></code> content
+    attribute, the <i><a href="#origin">origin</a></i> being the <a href="#origin">origin</a> of the
     <code><a href="#the-img-element">img</a></code> element's <code><a href="#document">Document</a></code>, and the
-    <i>credentials flag</i> set unless the <code title="attr-img-cross-origin"><a href="#attr-img-cross-origin">cross-origin</a></code> attribute is in
-    the <a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a>
-    state. Discard any data fetched in this way unless the
-    <a href="#cross-origin-request-status">cross-origin request status</a> is set to <i>success</i>
-    by the <a href="#cross-origin-request">cross-origin request</a> algorithm. If the
-    <a href="#cross-origin-request-status">cross-origin request status</a> is set to <i>success</i>,
-    then the element's image data's <a href="#origin">origin</a> is <a href="#concept-origin-forced-img" title="concept-origin-forced-img">forced</a> to be the
-    <code><a href="#the-img-element">img</a></code> element's <code><a href="#document">Document</a></code>'s
-    <a href="#origin">origin</a>. <a href="#refsCORS">[CORS]</a></p> 
-    <p>Otherwise, <a href="#fetch">fetch</a> the resulting <a href="#absolute-url">absolute
-    URL</a>. If the returned resource has an <code title="http-Access-Control-Allow-Origin">Access-Control-Allow-Origin</code>
-    response header, and its value is the literal "<code title="">*</code>" character, then the element's image data's
-    <a href="#origin">origin</a> is <a href="#concept-origin-forced-img" title="concept-origin-forced-img">forced</a> to be the
-    <code><a href="#the-img-element">img</a></code> element's <code><a href="#document">Document</a></code>'s
-    <a href="#origin">origin</a>.</p> 
+    <i>default origin behaviour</i> set to <i>taint</i>.</p>
 
-    <p>The resouce obtained in this fashion is the <code><a href="#the-img-element">img</a></code>
-    element's image data.</p>
+    <p>The resource obtained in this fashion, if any, is the
+    <code><a href="#the-img-element">img</a></code> element's image data. It can be either
+    <a href="#cors-same-origin">CORS-same-origin</a> or <a href="#cors-cross-origin">CORS-cross-origin</a>;
+    this affects the <a href="#origin">origin</a> of the image itself (e.g.
+    when used on a <code><a href="#the-canvas-element">canvas</a></code>).</p>
 
      <p>Fetching the image must <a href="#delay-the-load-event">delay the load
     event</a> of the element's document until the <a href="#concept-task" title="concept-task">task</a> that is <a href="#queue-a-task" title="queue a
@@ -22691,26 +22840,22 @@
 
    <li>
 
-    <p>If the <a href="#origin">origin</a> of <var title="">current media
-    resource</var>'s <a href="#absolute-url">absolute URL</a> is not the <a href="#same-origin">same
-    origin</a> as the <a href="#media-element">media element</a>'s
-    <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>, and the <a href="#media-element">media
-    element</a> has a <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> attribute,
-    then perform a <a href="#cross-origin-request">cross-origin request</a>, with the
-    <i>request URL</i> set to <var title="">current media
-    resource</var>'s <a href="#absolute-url">absolute URL</a>, the <i>source
-    origin</i> set to the <a href="#origin">origin</a> of the <a href="#media-element">media
-    element</a>'s <code><a href="#document">Document</a></code>, and the <i>credentials
-    flag</i> set unless the <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> attribute is
-    in the <a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a>
-    state. Discard any data fetched in this way unless the
-    <a href="#cross-origin-request-status">cross-origin request status</a> is set to <i>success</i>.
-    <a href="#refsCORS">[CORS]</a></p> 
+    <p>Perform a <a href="#potentially-cors-enabled-fetch">potentially CORS-enabled fetch</a> of the
+    <var title="">current media resource</var>'s <a href="#absolute-url">absolute
+    URL</a>, with the <i>mode</i> being the state of the
+    <a href="#media-element">media element</a>'s <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> content
+    attribute, the <i><a href="#origin">origin</a></i> being the <a href="#origin">origin</a> of the
+    <a href="#media-element">media element</a>'s <code><a href="#document">Document</a></code>, and the
+    <i>default origin behaviour</i> set to <i>taint</i>.</p>
+
+    <p>The resource obtained in this fashion, if any, contains the
+    <a href="#media-data">media data</a>. It can be <a href="#cors-same-origin">CORS-same-origin</a>
+    or <a href="#cors-cross-origin">CORS-cross-origin</a>; this affects whether subtitles
+    referenced in the <a href="#media-data">media data</a> are exposed in the API
+    and, for <code><a href="#the-video-element">video</a></code> elements, whether a
+    <code><a href="#the-canvas-element">canvas</a></code> gets tainted when the video is drawn on
+    it.</p>
 
-    <p>Otherwise, <a href="#fetch">fetch</a> the <var title="">current media
-    resource</var>, from the <a href="#media-element">media element</a>'s
-    <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>, with the <i>force
-    same-origin flag</i> set.</p> 
     <p>Every 350ms (&plusmn;200ms) or for every byte received, whichever
     is <em>least</em> frequent, <a href="#queue-a-task">queue a task</a> to
     <a href="#fire-a-simple-event">fire a simple event</a> named <code title="event-media-progress"><a href="#event-media-progress">progress</a></code> at the element.</p>
@@ -23086,11 +23231,15 @@
 
      <dd>
 
-      <p><a href="#queue-a-task">Queue a task</a> to run the <a href="#steps-to-expose-a-media-resource-specific-text-track">steps to expose a
-      media-resource-specific text track</a> with the relevant
-      data.</p>
+      <p>If the <a href="#media-data">media data</a> is
+      <a href="#cors-same-origin">CORS-same-origin</a>, <a href="#queue-a-task">queue a task</a> to run
+      the <a href="#steps-to-expose-a-media-resource-specific-text-track">steps to expose a media-resource-specific text
+      track</a> with the relevant data.</p>
 
-      
+      <p class="note">Cross-origin videos do not expose their
+      subtitles, since that would allow attacks such as hostile sites
+      reading subtitles from confidential videos on a user's
+      intranet.</p>
 
      </dd>
 
@@ -25896,26 +26045,18 @@
 
     <p><i>Download</i>: At this point, the text track is downloaded.</p>
 
-    <p>If <var title="">URL</var> is not the empty string, and its
-    <a href="#origin">origin</a> is not the <a href="#same-origin">same origin</a> as the
-    <a href="#media-element">media element</a>'s <code><a href="#document">Document</a></code>'s
-    <a href="#origin">origin</a>, and the <a href="#media-element">media element</a> has a
-    <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code>
-    attribute, then perform a <a href="#cross-origin-request">cross-origin request</a>, with
-    the <i>request URL</i> set to <var title="">URL</var>, the
-    <i>source origin</i> set to the <a href="#origin">origin</a> of the
+    <p>If <var title="">URL</var> is not the empty string, perform a
+    <a href="#potentially-cors-enabled-fetch">potentially CORS-enabled fetch</a> of <var title="">URL</var>, with the <i>mode</i> being the state of the
+    <a href="#media-element">media element</a>'s <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> content
+    attribute, the <i><a href="#origin">origin</a></i> being the <a href="#origin">origin</a> of the
     <a href="#media-element">media element</a>'s <code><a href="#document">Document</a></code>, and the
-    <i>credentials flag</i> set unless the <a href="#media-element">media
-    element</a>'s <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> attribute is
-    in the <a href="#attr-cross-origin-anonymous" title="attr-cross-origin-anonymous">Anonymous</a>
-    state. Discard any data fetched in this way unless the
-    <a href="#cross-origin-request-status">cross-origin request status</a> is set to <i>success</i>.
-    <a href="#refsCORS">[CORS]</a></p> 
+    <i>default origin behaviour</i> set to <i>fail</i>.</p>
+
+    <p>The resource obtained in this fashion, if any, contains the
+    text track data. If any data is obtained, it is by definition
+    <a href="#cors-same-origin">CORS-same-origin</a> (cross-origin resources that are not
+    suitably CORS-enabled do not get this far).</p>
 
-    <p>Otherwise, if <var title="">URL</var> is not the empty string,
-    <a href="#fetch">fetch</a> <var title="">URL</var>, from the <a href="#media-element">media
-    element</a>'s <code><a href="#document">Document</a></code>'s <a href="#origin">origin</a>, with
-    the <i>force same-origin flag</i> set.</p> 
     <p>The <a href="#concept-task" title="concept-task">tasks</a> <a href="#queue-a-task" title="queue
     a task">queued</a> by the <a href="#fetch" title="fetch">fetching
     algorithm</a> on the <a href="#networking-task-source">networking task source</a> to
@@ -25932,14 +26073,13 @@
 
     <p>If the <a href="#fetch" title="fetch">fetching algorithm</a> fails for
     any reason (network error, the server returns an error code, a
-    cross-origin check fails, etc), or if <var title="">URL</var> is
-    the empty string or has the wrong <a href="#origin">origin</a> as
-    determined by the condition at the start of this step, or if the
-    fetched resource is not in a supported format, then <a href="#queue-a-task">queue a
-    task</a> to first change the <a href="#text-track-readiness-state">text track readiness
-    state</a> to <a href="#text-track-failed-to-load" title="text track failed to load">failed to
-    load</a> and then <a href="#fire-a-simple-event">fire a simple event</a> named <code title="event-error">error</code> at the <code><a href="#the-track-element">track</a></code>
-    element; and then, once that <a href="#concept-task" title="concept-task">task</a> is <a href="#queue-a-task" title="queue a
+    cross-origin check fails, etc), if <var title="">URL</var> is the
+    empty string, or if the fetched resource is not in a supported
+    format, then <a href="#queue-a-task">queue a task</a> to first change the
+    <a href="#text-track-readiness-state">text track readiness state</a> to <a href="#text-track-failed-to-load" title="text track
+    failed to load">failed to load</a> and then <a href="#fire-a-simple-event">fire a simple
+    event</a> named <code title="event-error">error</code> at the
+    <code><a href="#the-track-element">track</a></code> element; and then, once that <a href="#concept-task" title="concept-task">task</a> is <a href="#queue-a-task" title="queue a
     task">queued</a>, move on to the step below labeled
     <i>monitoring</i>.</p>
 
@@ -27024,9 +27164,19 @@
 
   <hr><p>If a hostile page embeds victim content, the threat is that the
   embedding page could obtain information from the content that it
-  would not otherwise have access to. To avoid this, the API will not
-  allow videos to be shown cross-origin unless the <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> attribute is
-  present and the remote server opts-in to cross-origin requsts. <a href="#refsCORS">[CORS]</a></p>
+  would not otherwise have access to. The API does expose some
+  information: the existence of the media, its type, its duration, its
+  size, and the performance characteristics of its host. Such
+  information is already potentially problematic, but in practice the
+  same information can more or less be obtained using the
+  <code><a href="#the-img-element">img</a></code> element, and so it has been deemed acceptable.</p>
+
+  <p>However, significantly more sensitive information could be
+  obtained if the user agent further exposes metadata within the
+  content such as subtitles or chapter titles. Such information is
+  therefore only exposed if the video resource passes a CORS
+  <a href="#resource-sharing-check">resource sharing check</a>. The <code title="attr-media-cross-origin"><a href="#attr-media-cross-origin">cross-origin</a></code> attribute allows
+  authors to control how this check is performed. <a href="#refsCORS">[CORS]</a></p>
 
   <p class="example">Without this restriction, an attacker could trick
   a user running within a corporate network into visiting a site that
@@ -44067,10 +44217,18 @@
    <dd>
 
     <dl class="switch"><dt>If an image is the image of an <code><a href="#the-img-element">img</a></code> element and
-     its image data has a <a href="#concept-origin-forced-img" title="concept-origin-forced-img">forced origin</a></dt>
+     its image data is <a href="#cors-cross-origin">CORS-cross-origin</a></dt>
+
+     <dd>The <a href="#origin">origin</a> is a globally unique identifier
+     assigned when the image is created.</dd>
+
+
+     <dt>If an image is the image of an <code><a href="#the-img-element">img</a></code> element and
+     its image data is <a href="#cors-same-origin">CORS-same-origin</a></dt>
+
+     <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
+     <code><a href="#the-img-element">img</a></code> element's <code><a href="#document">Document</a></code>.</dd>
 
-     <dd>The <a href="#origin">origin</a> is the image data's <dfn id="concept-origin-forced-img" title="concept-origin-forced-img">forced origin</dfn>. (This
-     occurs when the image was successfully obtained using CORS.)</dd>
 
 
      <dt>If an image was served over the network and has an address
@@ -44111,13 +44269,20 @@
 
    <dd>
 
-    <p>The <a href="#origin">origin</a> is always the same as the
-    <a href="#origin">origin</a> of the element's <code><a href="#document">Document</a></code>'s
-    <a href="#origin">origin</a>, as <a href="#media-resource" title="media resource">media
-    resources</a> cannot be fetched cross-origin without the
-    server's permission (using CORS).</p>
+    <dl class="switch"><dt>If the <a href="#media-data">media data</a> is
+     <a href="#cors-cross-origin">CORS-cross-origin</a></dt>
 
-   </dd>
+     <dd>The <a href="#origin">origin</a> is a globally unique identifier
+     assigned when the image is created.</dd>
+
+
+     <dt>If the <a href="#media-data">media data</a> is
+     <a href="#cors-same-origin">CORS-same-origin</a></dt>
+
+     <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
+     <a href="#media-element">media element</a>'s <code><a href="#document">Document</a></code>.</dd>
+
+    </dl></dd>
 
 
    <dt>For fonts</dt>
@@ -44126,8 +44291,7 @@
 
     <p>The <a href="#origin">origin</a> of a downloadable Web font is equal to
     the <a href="#origin">origin</a> of the <a href="#absolute-url">absolute URL</a> used to
-    obtain the font (after any redirects). <a href="#refsCSSFONTS">[CSSFONTS]</a></p>
-
+    obtain the font (after any redirects). <a href="#refsCSSFONTS">[CSSFONTS]</a></p> 
     <p>The <a href="#origin">origin</a> of a locally installed system font is
     equal to the <a href="#origin">origin</a> of the <code><a href="#document">Document</a></code> in
     which that font is being used.</p>

Received on Monday, 23 May 2011 20:44:25 UTC