- From: Anne van Kesteren <annevk@opera.com>
- Date: Sun, 15 Mar 2009 21:29:21 +0100
On Sun, 15 Mar 2009 20:45:17 +0100, Hans Schmucker <hansschmucker at gmail.com> wrote: > Thank you Anne, but I think this has to be dealt with primarily inside > the HTML5 spec. Yes, hence me using the word "aside"... Anyway, ... > The Access Control spec is already pretty clear on how > things are supposed to work on the server and from the server to the > client and it's probably mostly enough to say that "Image and Video > elements in addition to cross-origin linking also allow for > cross-origin use as described in Cross-Origin Resource Sharing". No, currently you actually have to state which algorithm you use in CORS and how. Otherwise CORS does not apply (at least not from a specification standpoint). > Me and Chris actually assumed it would work that way until we tried it. > The main question for me (aside from the question if > image/video/canvas elements should retain all necessary information to > check for valid origins that are allowed access again or just be > marked "standard"/"public") is where to put it in the spec. It's an > issue that applies to pretty much anything that allows access to the > raw data (which is just canvas now, but nobody knows what the future > will bring) and to make matters worse its nature not only requires > changes to canvas itself, but also to the elements that are drawable, > like img or video. So to me it would make the most sense to put this > as far away as possible from Canvas and make it more into a generic > item how DOM elements are supposed to hold data about cross origin > headers. Then the canvas description would need virtually no changed > beyond "obeys cross-origin rules for pixel access". That does sound nice yes. -- Anne van Kesteren http://annevankesteren.nl/
Received on Sunday, 15 March 2009 13:29:21 UTC