W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] [CORS] WebKit tainting image instead of throwing error

From: Kenneth Russell <kbr@google.com>
Date: Tue, 4 Oct 2011 12:04:18 -0700
Message-ID: <CAMYvS2dddyo7dftE6Ysu2cSMzBwUMO6cKCO=1oOJRPTGpO0eoQ@mail.gmail.com>
On Tue, Oct 4, 2011 at 11:55 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 10/4/11 2:44 PM, Anne van Kesteren wrote:
>>
>> On Tue, 04 Oct 2011 20:32:02 +0200, Ian Hickson <ian at hixie.ch> wrote:
>>>
>>> The idea is that if the server explicitly rejected the CORS request, then
>>> the image should not be usable at all.
>>
>> FWIW, from a CORS-perspective both scenarios are fine. CORS only cares
>> about whether data gets shared in the end.
>
> Displaying images involves sharing data, basically. ?That's why we're having
> to jump through all these hoops....

As far as I can tell the tainting behavior WebKit implements is
correct, and is specified by the text in
http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#the-img-element
. Scroll down to step 6 in the algorithm for "When the user agent is
to update the image data...". Note that the "default origin behaviour"
is set to "taint" when fetching images.

-Ken
Received on Tuesday, 4 October 2011 12:04:18 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC