Re: [cors] Allow-Credentials vs Allow-Origin: * on image elements?

On Wed, Jul 7, 2010 at 1:09 PM, Charlie Reis <creis@chromium.org> wrote:
[...]

> That's unfortunate-- at least for now, that prevents servers from echoing
> the origin in the Access-Control-Allow-Origin header, so servers cannot host
> "public" images that don't taint canvases.  The same problem likely exists
> for other types of requests that might adopt CORS, like fonts, etc.
>

Why would public images or fonts need credentials?


>
>
>> I believe the plan is to change HTML5 once CORS is somewhat more stable
>> and use it for various pieces of infrastructure there. At that point we can
>> change <img> to transmit an Origin header with an origin. We could also
>> decide to change CORS and allow the combination of * and the credentials
>> flag being true. I think * is not too different from echoing back the value
>> of a header.
>>
>>
> I would second the proposal to allow * with credentials.  It seems roughly
> equivalent to echoing back the Origin header, and it would allow CORS to
> work on images and other types of requests without changes to HTML5.
>
> Thanks,
> Charlie
>
>


-- 
    Cheers,
    --MarkM

Received on Wednesday, 7 July 2010 23:05:21 UTC