- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 23 May 2011 20:43:02 +0000 (UTC)
On Thu, 19 May 2011, Chris Double wrote: > On Wed, May 18, 2011 at 1:11 PM, Ian Hickson <ian at hixie.ch> wrote: > > This is only a first draft, I'm not sure it's perfect. In particular, > > right now cross-origin media is not allowed at all without this > > attribute (this is not a new change, but I'm not sure it's what > > implementations do). > > Last I checked Amazon S3 and other large content serving sites don't > support CORS. Does this mean a number of existing sites using Amazon S3 > as their backend would break? The change was backwards-compatible with the previous state of the spec, so nothing would break if it was working before. However, if browsers didn't enforce the same-origin check before for <video>, then yes, if they implemented it now things would break. I've changed this so that <video> now works like <img>; it doesn't send an Origin: header by default, taints cross-origin videos but doesn't block them, and supports the attribute the same way. <track> (the element for text tracks) doesn't do the tainting thing, it either allows or disallows, and is controlled by the <video> element's cross-origin="" attribute, so that you don't have to specify it a dozen times for each media element. (Same with <source>, it's controlled by the <video> element's cross-origin="" attribute.) The "Origin:" header for all these cases isn't sent unless the cross-origin="" attribute is specified. (Previously, <track> and <video> were specified to include it always.) On Thu, 19 May 2011, Robert O'Callahan wrote: > > What exactly do you mean by "cross-origin media is not allowed at all"? > I hope you mean "CORS is not used at all", since obviously image and > media elements are allowed to load resources cross-origin today, and > changing that would break the Web. <img> obviously allows cross-origin access, yes. The spec didn't allow it for <video>, as it turns out. This is fixed now. On Fri, 20 May 2011, Gregg Tavares (wrk) wrote: > > How about updating the CORS spec so that a server can send a > > Access-Control-Allow-Origin: * > > header even when not specifically requested and the browser can then > allow those resource to be used cross-origin where otherwise they > wouldn't > > This would mean sites like picasa and flickr could just add that static > string to their headers and things would just work, no HTML or JS > changes required, no having to tag images with cross-origin unless > you're dealing with a really strict server that actually wants to check > credentials. We can't allow the "*" mode without the cross-origin="" attribute for the reasons Jonas posted earlier today, but I've made it support an explicit cross-origin opt-in, so if you know what domains are going to need it you can do the opt-in without adding the cross-origin="" attribute everywhere. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 23 May 2011 13:43:02 UTC