- From: Mark S. Miller <erights@google.com>
- Date: Wed, 7 Jul 2010 16:04:53 -0700
- To: Charlie Reis <creis@chromium.org>
- Cc: Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org
Received on Wednesday, 7 July 2010 23:05:21 UTC
On Wed, Jul 7, 2010 at 1:09 PM, Charlie Reis <creis@chromium.org> wrote: [...] > That's unfortunate-- at least for now, that prevents servers from echoing > the origin in the Access-Control-Allow-Origin header, so servers cannot host > "public" images that don't taint canvases. The same problem likely exists > for other types of requests that might adopt CORS, like fonts, etc. > Why would public images or fonts need credentials? > > >> I believe the plan is to change HTML5 once CORS is somewhat more stable >> and use it for various pieces of infrastructure there. At that point we can >> change <img> to transmit an Origin header with an origin. We could also >> decide to change CORS and allow the combination of * and the credentials >> flag being true. I think * is not too different from echoing back the value >> of a header. >> >> > I would second the proposal to allow * with credentials. It seems roughly > equivalent to echoing back the Origin header, and it would allow CORS to > work on images and other types of requests without changes to HTML5. > > Thanks, > Charlie > > -- Cheers, --MarkM
Received on Wednesday, 7 July 2010 23:05:21 UTC