Re: [cors] Allow-Credentials vs Allow-Origin: * on image elements?

> Because it's undesirable to prevent the browser from sending cookies on an
> <img> request,

Why ? I can understand why you can't do it today - but why is this
undesirable even for new applications? Ad tracking ?

~devdatta

On 7 July 2010 16:11, Charlie Reis <creis@chromium.org> wrote:
>
>
> On Wed, Jul 7, 2010 at 4:04 PM, Mark S. Miller <erights@google.com> wrote:
>>
>> On Wed, Jul 7, 2010 at 1:09 PM, Charlie Reis <creis@chromium.org> wrote:
>> [...]
>>>
>>> That's unfortunate-- at least for now, that prevents servers from echoing
>>> the origin in the Access-Control-Allow-Origin header, so servers cannot host
>>> "public" images that don't taint canvases.  The same problem likely exists
>>> for other types of requests that might adopt CORS, like fonts, etc.
>>
>> Why would public images or fonts need credentials?
>
> Because it's undesirable to prevent the browser from sending cookies on an
> <img> request, and the user might have cookies for the image's site.  It's
> typical for the browser to send cookies on such requests, and those are
> considered a type of credentials by CORS.
> Charlie
>
>>
>>
>>>>
>>>> I believe the plan is to change HTML5 once CORS is somewhat more stable
>>>> and use it for various pieces of infrastructure there. At that point we can
>>>> change <img> to transmit an Origin header with an origin. We could also
>>>> decide to change CORS and allow the combination of * and the credentials
>>>> flag being true. I think * is not too different from echoing back the value
>>>> of a header.
>>>>
>>>
>>> I would second the proposal to allow * with credentials.  It seems
>>> roughly equivalent to echoing back the Origin header, and it would allow
>>> CORS to work on images and other types of requests without changes to HTML5.
>>> Thanks,
>>> Charlie
>>
>>
>>
>> --
>>     Cheers,
>>     --MarkM
>
>

Received on Wednesday, 7 July 2010 23:15:43 UTC