- From: <bugzilla@jessica.w3.org>
- Date: Wed, 25 May 2011 00:10:41 +0000
- To: public-html@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12744 Summary: The crossdomain attribute named as such may prove an attractive talisman for copy-paste/cargocult authors, such that they start applying it on _any_ out of domain img regardless of CORS, especially when they see the no attribute string form <img crossdoma Product: HTML WG Version: unspecified Platform: Other URL: http://www.whatwg.org/specs/web-apps/current-work/#att r-img-crossorigin OS/Version: other Status: NEW Severity: normal Priority: P3 Component: HTML5 spec (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: contributor@whatwg.org QAContact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-wg-issue-tracking@w3.org, public-html@w3.org Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html Section: http://www.whatwg.org/specs/web-apps/current-work/#attr-img-crossorigin Comment: The crossdomain attribute named as such may prove an attractive talisman for copy-paste/cargocult authors, such that they start applying it on _any_ out of domain img regardless of CORS, especially when they see the no attribute string form <img crossdomain src="..." /> which doesn't give the author any semantic clue as to its real purpose. Adding this attribute might not cause visible breakage (if whoever is serving the image supports CORS), but it does change the security attack surface of the application and should not be done without reason. Perhaps change the name of the attribute to something that would not tempt authors to use it outside of CORS scenerios. (Submitted by Christian Iivari) Posted from: 173.72.153.184 User agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Wednesday, 25 May 2011 00:10:43 UTC