W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] [CORS] WebKit tainting image instead of throwing error

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 04 Oct 2011 15:11:14 -0400
Message-ID: <4E8B5A52.3080804@mit.edu>
On 10/4/11 3:04 PM, Kenneth Russell wrote:
> As far as I can tell the tainting behavior WebKit implements is
> correct, and is specified by the text in
> http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#the-img-element
> . Scroll down to step 6 in the algorithm for "When the user agent is
> to update the image data...". Note that the "default origin behaviour"
> is set to "taint" when fetching images.

"default origin behavior" is only relevant when the mode is "No CORS". 
See 
http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#potentially-cors-enabled-fetch

So for images it only applies when the "crossorigin" attribute is not set.

So no, WebKit's implementation is not correct if you were trying to 
implement the spec.

In particular, if "crossorigin" is set, you end up at 
http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#potentially-cors-enabled-fetch 
step 3 item 1 in the 'If mode is "Anonymous" or "Use Credentials"' 
section, which is exactly what was cited in the mail that started this 
thread.

-Boris
Received on Tuesday, 4 October 2011 12:11:14 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC