Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Anne van Kesteren on 2015-01-05 (public-webappsec@w3.org from January 2015)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 5 Jan 2015 19:15:19 +0100
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78iiYYa6j5yRAuvfHV6Ja6t_p0WfJG5QehiPddsqoR8fnw@mail.gmail.com>

On Mon, Jan 5, 2015 at 7:06 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> That depends on whether the loading page has the "crossorigin" attribute on
> the image and whether the server sends the appropriate CORS headers.  If
> both those things are done, the page can get access to the image data from
> script.

I thought we disabled CORS cross-scheme?


-- 
https://annevankesteren.nl/

Received on Monday, 5 January 2015 18:15:46 UTC