- From: <bugzilla@jessica.w3.org>
- Date: Wed, 07 Sep 2011 04:35:14 +0000
- To: public-html@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=14056 Summary: Please change 4.8.11.2 Security with canvas elements to respect CORS Product: HTML WG Version: unspecified Platform: PC OS/Version: Windows NT Status: NEW Severity: major Priority: P2 Component: HTML5 spec (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: gmthundercat@gmail.com QAContact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-wg-issue-tracking@w3.org, public-html@w3.org In section: 4.8.11.2 Security with canvas elements While the origin-clean flag is a very sensible addition; no provision has been specified for CORS. This means if image downloads are parallelized across subdomians or via a CDN for performance toDataURL is prevented by a security execption due to the false origin-clean flag. Which is very problematic... Currently Chrome is the only browser that seems to respect CORS for canvas toDataURL and maintaining the origin-clean flag as true. This works by providing the two HTTP headers: access-control-allow-origin:domain access-control-allow-credentials:false Can this be added to the HTML5 spec to hopefully cause greater adoption in other browsers? At the moment our method of handling this is to catch the exception and put up a popup saying this functionality only works in Chrome; which isn't ideal. -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Wednesday, 7 September 2011 04:35:15 UTC