- From: Hans Schmucker <hansschmucker@gmail.com>
- Date: Sun, 15 Mar 2009 20:45:17 +0100
On Sat, Mar 14, 2009 at 3:11 PM, Anne van Kesteren <annevk at opera.com> wrote: > On Fri, 13 Mar 2009 23:53:36 -0000, Hans Schmucker <hansschmucker at gmail.com> > wrote: >> >> Question is: what would be the best way to fix it? Of course the spec >> could be changed for video and image, but wouldn't it be simpler to >> update the defintion of origins to include patterns that can represent >> allow rules? > > Aside: You might want to take a look at a later version of the specification > (the one that is being implemented): > > ?http://dev.w3.org/2006/waf/access-control/ Thank you Anne, but I think this has to be dealt with primarily inside the HTML5 spec. The Access Control spec is already pretty clear on how things are supposed to work on the server and from the server to the client and it's probably mostly enough to say that "Image and Video elements in addition to cross-origin linking also allow for cross-origin use as described in Cross-Origin Resource Sharing". Me and Chris actually assumed it would work that way until we tried it. The main question for me (aside from the question if image/video/canvas elements should retain all necessary information to check for valid origins that are allowed access again or just be marked "standard"/"public") is where to put it in the spec. It's an issue that applies to pretty much anything that allows access to the raw data (which is just canvas now, but nobody knows what the future will bring) and to make matters worse its nature not only requires changes to canvas itself, but also to the elements that are drawable, like img or video. So to me it would make the most sense to put this as far away as possible from Canvas and make it more into a generic item how DOM elements are supposed to hold data about cross origin headers. Then the canvas description would need virtually no changed beyond "obeys cross-origin rules for pixel access".
Received on Sunday, 15 March 2009 12:45:17 UTC