W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] [CORS] WebKit tainting image instead of throwing error

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 04 Oct 2011 23:25:30 +0200
Message-ID: <op.v2ui4sht64w2qv@cm->
On Tue, 04 Oct 2011 23:15:01 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> A server has the option of declining _all_ non CORS request (e.g. all  
> requests without an Origin header).  Servers that care about others  
> getting at their images should do so.  Of course that relies on all UAs  
> implementing @crossorigin so that servers can require it when linking to  
> their images...  But once we get there, this becomes a quite viable  
> strategy for the server to avoid leaking their images.

I think http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html is a  
better strategy for achieving that. The advantage being that only changes  
on the server are required.

Anne van Kesteren
Received on Tuesday, 4 October 2011 14:25:30 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC