- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 30 May 2013 14:10:23 +0100
- To: "Robert O'Callahan" <robert@ocallahan.org>
- Cc: Dirk Schulze <dschulze@adobe.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>, Philip Rogers <pdr@google.com>
On Thu, May 30, 2013 at 12:35 AM, Robert O'Callahan <robert@ocallahan.org> wrote: > Note that if we do this, we'll need to continue to apply an origin check > when filter/mask/clip/use/pattern etc refer to an element in an external > document, at the time they use the element. Anne, can we make regular image > loads record presence of an Access-Control-Allow-Origin header if the server > sends one, without causing the load to fail if it happens to be cross-origin > with no header? There's no such concept right now. You either opt into CORS or you get a tainted cross-origin request which cannot be untainted. Note this would also be problematic with respect to cookies, unless you'll do something different for those than tainted cross-origin requests do. > Even if the spec allows it, that's going to be a pain to implement for us > since there's currently no notion of delaying CORS-enabled origin checks in > our code. There's no such notion in spec-land either. -- http://annevankesteren.nl/
Received on Thursday, 30 May 2013 13:10:58 UTC