- From: HTML Weekly Issue Tracker <sysbot+tracker@w3.org>
- Date: Fri, 24 Jun 2011 12:29:33 +0000
- To: public-html-wg-issue-tracking@w3.org
HTML-ISSUE-167 (remove-crossorigin): Remove the crossorigin attribute and CORS normative dependency http://www.w3.org/html/wg/tracker/issues/167 Raised by: Sam Ruby On product: This issue was raised on behalf of Shelley Powers: This change does not "fix" the problem related to WebGL--in actuality, the security vulnerability still exists. What this problem does is more or less just shove the responsibility for the problems off the software implementation and on to the application developers. This solution makes several assumptions, not the least of which that it provides a safe way to fulfill the original use cases given within the WebGL for supporting cross-domain resource access for texture use. Originally, WebGL restricted cross-domain resource access for textures, most likely because of security concerns. However, after exploring the original use cases given for adding cross-domain resource access(such as using an ad from an ad service to embed an image into a 3D world, or using images served up at Flickr or AWS), there is no guarantee that this solution will fix the problem. Why? Because those serving the remote resources must also agree to the use of CORS, and I know for a fact that at least one of the services has already expressed reluctance to do so (AWS). Point of fact, I'm not sure any service is going to be willing to incorporate a functionality that is meant to bypass security protocols, for a technology group delivering a product that at least two security organizations have recommended against. In addition, the addition of crossorigin also created a normative dependency in HTML for the CORS specification, which is, itself, a draft specification not currently robust enough for Last Call status. Though CORS was listed as a reference in the LC HTML5 document, I don't believe there was a normative dependency in the HTML5 specification for CORs previous to this. See the associated bug for additional details: http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888
Received on Friday, 24 June 2011 12:29:35 UTC