- From: Kenneth Russell <kbr@google.com>
- Date: Tue, 4 Oct 2011 12:04:18 -0700
On Tue, Oct 4, 2011 at 11:55 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 10/4/11 2:44 PM, Anne van Kesteren wrote: >> >> On Tue, 04 Oct 2011 20:32:02 +0200, Ian Hickson <ian at hixie.ch> wrote: >>> >>> The idea is that if the server explicitly rejected the CORS request, then >>> the image should not be usable at all. >> >> FWIW, from a CORS-perspective both scenarios are fine. CORS only cares >> about whether data gets shared in the end. > > Displaying images involves sharing data, basically. ?That's why we're having > to jump through all these hoops.... As far as I can tell the tainting behavior WebKit implements is correct, and is specified by the text in http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#the-img-element . Scroll down to step 6 in the algorithm for "When the user agent is to update the image data...". Note that the "default origin behaviour" is set to "taint" when fetching images. -Ken
Received on Tuesday, 4 October 2011 12:04:18 UTC