- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 4 Oct 2011 22:34:17 +0000 (UTC)
On Tue, 4 Oct 2011, Kenneth Russell wrote: > > The server only has the option of declining cross-origin access if the > application specified the crossorigin attribute. A hostile application > would simply not specify that attribute, would receive the tainted > image, and would use the timing attack I assume you're referring to to > infer the alpha channel. A server can avoid that problem by simply not returning the image in that case. > The far more common case today is that the server doesn't understand the > CORS request, not that it explicitly forbids cross-origin access to the > resource. If it doesn't understand the request, there's no point adding the attribute in the first place. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 4 October 2011 15:34:17 UTC