W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] [CORS] WebKit tainting image instead of throwing error

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 4 Oct 2011 22:34:17 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1110042233090.20981@ps20323.dreamhostps.com>
On Tue, 4 Oct 2011, Kenneth Russell wrote:
> The server only has the option of declining cross-origin access if the 
> application specified the crossorigin attribute. A hostile application 
> would simply not specify that attribute, would receive the tainted 
> image, and would use the timing attack I assume you're referring to to 
> infer the alpha channel.

A server can avoid that problem by simply not returning the image in that 

> The far more common case today is that the server doesn't understand the 
> CORS request, not that it explicitly forbids cross-origin access to the 
> resource.

If it doesn't understand the request, there's no point adding the 
attribute in the first place.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 4 October 2011 15:34:17 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC