W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 5 Jan 2015 19:15:19 +0100
Message-ID: <CADnb78iiYYa6j5yRAuvfHV6Ja6t_p0WfJG5QehiPddsqoR8fnw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 7:06 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> That depends on whether the loading page has the "crossorigin" attribute on
> the image and whether the server sends the appropriate CORS headers.  If
> both those things are done, the page can get access to the image data from
> script.

I thought we disabled CORS cross-scheme?

Received on Monday, 5 January 2015 18:15:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC