W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] [CORS] WebKit tainting image instead of throwing error

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 04 Oct 2011 21:02:16 +0200
Message-ID: <op.v2uch2f364w2qv@cm->
On Tue, 04 Oct 2011 20:55:28 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 10/4/11 2:44 PM, Anne van Kesteren wrote:
>> On Tue, 04 Oct 2011 20:32:02 +0200, Ian Hickson <ian at hixie.ch> wrote:
>>> The idea is that if the server explicitly rejected the CORS request,  
>>> then
>>> the image should not be usable at all.
>> FWIW, from a CORS-perspective both scenarios are fine. CORS only cares
>> about whether data gets shared in the end.
> Displaying images involves sharing data, basically.  That's why we're  
> having to jump through all these hoops....

Sure, but not more than per usual. Note that if you do not specify the  
crossorigin attribute the image can still get untainted. And if it does  
not you would still display the image (as always).

Anne van Kesteren
Received on Tuesday, 4 October 2011 12:02:16 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC