W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2011

[whatwg] Canvas and drawWindow

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 11 Mar 2011 12:25:59 -0500
Message-ID: <4D7A5B27.9040102@mit.edu>
On 3/11/11 11:56 AM, Tab Atkins Jr. wrote:
> I suspect it wouldn't be too difficult to do this better - we can know
> ahead of time whether the window contains any cross-origin resources
> that aren't cleared by CORS.

There are lots of loads that can be cross-origin but aren't subject to 
CORS at the moment (so browsers don't track whether they're 
cross-origin): images, subframes, backgrounds, fonts all come to mind.

For backgrounds and fonts there's the additional complication that there 
are more than two origins involved:

1)  The origin of the page.
2)  The origin of the stylesheet url the page was trying to load.
3)  The origin of the stylesheet.
4)  The origin of the url the stylesheet links to.
5)  The origin of the font or background.

One could argue that #2 and #4 are not relevant here (though they are in 
other contexts at times; e.g. for <script>).  That still leaves 1,3,5, 
whose interaction would need to be defined.

Received on Friday, 11 March 2011 09:25:59 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:31 UTC