- From: Charlie Reis <creis@chromium.org>
- Date: Wed, 7 Jul 2010 16:11:07 -0700
- To: "Mark S. Miller" <erights@google.com>
- Cc: Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org
- Message-ID: <AANLkTikaogbE_BbZ-TTOPR2GJIOhfMykO_UALVuK41Nm@mail.gmail.com>
On Wed, Jul 7, 2010 at 4:04 PM, Mark S. Miller <erights@google.com> wrote: > On Wed, Jul 7, 2010 at 1:09 PM, Charlie Reis <creis@chromium.org> wrote: > [...] > >> That's unfortunate-- at least for now, that prevents servers from echoing >> the origin in the Access-Control-Allow-Origin header, so servers cannot host >> "public" images that don't taint canvases. The same problem likely exists >> for other types of requests that might adopt CORS, like fonts, etc. >> > > Why would public images or fonts need credentials? > Because it's undesirable to prevent the browser from sending cookies on an <img> request, and the user might have cookies for the image's site. It's typical for the browser to send cookies on such requests, and those are considered a type of credentials by CORS. Charlie > > >> >> >>> I believe the plan is to change HTML5 once CORS is somewhat more stable >>> and use it for various pieces of infrastructure there. At that point we can >>> change <img> to transmit an Origin header with an origin. We could also >>> decide to change CORS and allow the combination of * and the credentials >>> flag being true. I think * is not too different from echoing back the value >>> of a header. >>> >>> >> I would second the proposal to allow * with credentials. It seems roughly >> equivalent to echoing back the Origin header, and it would allow CORS to >> work on images and other types of requests without changes to HTML5. >> >> Thanks, >> Charlie >> >> > > > -- > Cheers, > --MarkM >
Received on Wednesday, 7 July 2010 23:12:20 UTC