- From: <bugzilla@jessica.w3.org>
- Date: Wed, 25 May 2011 00:10:41 +0000
- To: public-html@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12744
Summary: The crossdomain attribute named as such may prove an
attractive talisman for copy-paste/cargocult authors,
such that they start applying it on _any_ out of
domain img regardless of CORS, especially when they
see the no attribute string form <img crossdoma
Product: HTML WG
Version: unspecified
Platform: Other
URL: http://www.whatwg.org/specs/web-apps/current-work/#att
r-img-crossorigin
OS/Version: other
Status: NEW
Severity: normal
Priority: P3
Component: HTML5 spec (editor: Ian Hickson)
AssignedTo: ian@hixie.ch
ReportedBy: contributor@whatwg.org
QAContact: public-html-bugzilla@w3.org
CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
public-html@w3.org
Specification:
http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html
Section:
http://www.whatwg.org/specs/web-apps/current-work/#attr-img-crossorigin
Comment:
The crossdomain attribute named as such may prove an attractive talisman for
copy-paste/cargocult authors, such that they start applying it on _any_ out of
domain img regardless of CORS, especially when they see the no attribute
string form <img crossdomain src="..." /> which doesn't give the author any
semantic clue as to its real purpose. Adding this attribute might not cause
visible breakage (if whoever is serving the image supports CORS), but it does
change the security attack surface of the application and should not be done
without reason. Perhaps change the name of the attribute to something that
would not tempt authors to use it outside of CORS scenerios. (Submitted by
Christian Iivari)
Posted from: 173.72.153.184
User agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
--
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Wednesday, 25 May 2011 00:10:43 UTC