W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Mon, 05 Jan 2015 13:06:12 -0500
Message-ID: <54AAD294.8060801@mit.edu>
To: public-webappsec@w3.org
On 1/5/15 12:39 PM, Martin Thomson wrote:
> Isn't it also the case that cross-origin images like that are
> inaccessible to script?

That depends on whether the loading page has the "crossorigin" attribute 
on the image and whether the server sends the appropriate CORS headers. 
  If both those things are done, the page can get access to the image 
data from script.

-Boris
Received on Monday, 5 January 2015 18:06:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC