W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] [CORS] WebKit tainting image instead of throwing error

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 06 Oct 2011 17:16:53 +0200
Message-ID: <op.v2xrefin64w2qv@cm->
On Thu, 06 Oct 2011 17:05:29 +0200, Adam Barth <w3c at adambarth.com> wrote:
> The reason it's implemented like that is because I didn't add any new
> security checks.  I just expanded the canvas taint-checking code to
> understand that a CORS-approved image could pass.
> w.r.t. to blocking the whole image, there isn't any security benefit
> for doing so (if we did so, attackers would just omit the crossorigin
> attribute).  If you want to prevent folks from embedding the image,
> you need something that works regardless of how the image was
> requested (like From-Origin).

You mean WebKit does not support the crossorigin attribute at all? That is  
how I envisioned CORS to work for <img>.

Anne van Kesteren
Received on Thursday, 6 October 2011 08:16:53 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC