- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 06 Oct 2011 17:16:53 +0200
On Thu, 06 Oct 2011 17:05:29 +0200, Adam Barth <w3c at adambarth.com> wrote: > The reason it's implemented like that is because I didn't add any new > security checks. I just expanded the canvas taint-checking code to > understand that a CORS-approved image could pass. > > w.r.t. to blocking the whole image, there isn't any security benefit > for doing so (if we did so, attackers would just omit the crossorigin > attribute). If you want to prevent folks from embedding the image, > you need something that works regardless of how the image was > requested (like From-Origin). You mean WebKit does not support the crossorigin attribute at all? That is how I envisioned CORS to work for <img>. -- Anne van Kesteren http://annevankesteren.nl/
Received on Thursday, 6 October 2011 08:16:53 UTC