- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 7 Jul 2010 16:14:51 -0700
- To: Charlie Reis <creis@chromium.org>
- Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org
> Because it's undesirable to prevent the browser from sending cookies on an > <img> request, Why ? I can understand why you can't do it today - but why is this undesirable even for new applications? Ad tracking ? ~devdatta On 7 July 2010 16:11, Charlie Reis <creis@chromium.org> wrote: > > > On Wed, Jul 7, 2010 at 4:04 PM, Mark S. Miller <erights@google.com> wrote: >> >> On Wed, Jul 7, 2010 at 1:09 PM, Charlie Reis <creis@chromium.org> wrote: >> [...] >>> >>> That's unfortunate-- at least for now, that prevents servers from echoing >>> the origin in the Access-Control-Allow-Origin header, so servers cannot host >>> "public" images that don't taint canvases. The same problem likely exists >>> for other types of requests that might adopt CORS, like fonts, etc. >> >> Why would public images or fonts need credentials? > > Because it's undesirable to prevent the browser from sending cookies on an > <img> request, and the user might have cookies for the image's site. It's > typical for the browser to send cookies on such requests, and those are > considered a type of credentials by CORS. > Charlie > >> >> >>>> >>>> I believe the plan is to change HTML5 once CORS is somewhat more stable >>>> and use it for various pieces of infrastructure there. At that point we can >>>> change <img> to transmit an Origin header with an origin. We could also >>>> decide to change CORS and allow the combination of * and the credentials >>>> flag being true. I think * is not too different from echoing back the value >>>> of a header. >>>> >>> >>> I would second the proposal to allow * with credentials. It seems >>> roughly equivalent to echoing back the Origin header, and it would allow >>> CORS to work on images and other types of requests without changes to HTML5. >>> Thanks, >>> Charlie >> >> >> >> -- >> Cheers, >> --MarkM > >
Received on Wednesday, 7 July 2010 23:15:43 UTC