W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] [CORS] WebKit tainting image instead of throwing error

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 4 Oct 2011 22:35:51 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1110042234420.20981@ps20323.dreamhostps.com>
On Tue, 4 Oct 2011, Anne van Kesteren wrote:
> On Tue, 04 Oct 2011 23:15:01 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> > A server has the option of declining _all_ non CORS request (e.g. all 
> > requests without an Origin header).  Servers that care about others 
> > getting at their images should do so.  Of course that relies on all 
> > UAs implementing @crossorigin so that servers can require it when 
> > linking to their images... But once we get there, this becomes a quite 
> > viable strategy for the server to avoid leaking their images.
> I think http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html is 
> a better strategy for achieving that. The advantage being that only 
> changes on the server are required.

There's no way with this for the server to allow the client to use the 
image only if the origin is one of a few hundred origins, but not 
otherwise. (For example, allowing the image to be used by any google.* 
domain registered by Google, but not any other domain).

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 4 October 2011 15:35:51 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC