On Mar 29, 2013 4:09 PM, "Glenn Maynard" <glenn@zewt.org> wrote:
>
> On Fri, Mar 29, 2013 at 10:17 AM, Jonas Sicking <jonas@sicking.cc> wrote:
>>
>> What I'm saying if that different browsers behave differently here.
>>
>> Requiring the crossorigin attribute might be your opinion on how to
solve it, but its not matching how any browsers treat data: URLs right now.
>
> We're talking about changing the behavior of blob URLs, not about data:
URLs.
>
> This isn't my opinion; I'm just explaining what the spec currently says.
Drawing cross-origin images always taint the canvas, and <img crossorigin>
is used to prevent that, by effectively changing the image's origin (
http://www.whatwg.org/specs/web-apps/current-work/#origin-0 "for images").
What the spec says it that cross origin URLs taint. However different
browsers treat data: differently when it comes to whether it is crossorigin.
In any case the crossorigin attribute wouldn't make Senate here since it
requires the loaded URL to opt in to being crossorigin readable using CORS,
something that is not possible for data: URLs.
The reason that data: is relevant there is that blob: is proposed to behave
the same as data:.
/ Jonas