- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 30 Nov 2012 02:44:30 +0000 (UTC)
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: whatwg <whatwg@whatwg.org>, Adam Barth <abarth@eecs.berkeley.edu>
On Thu, 29 Nov 2012, Boris Zbarsky wrote: > > > > Anyway, this is somewhat moot to me because it'll all have to be > > defined by whatever spec it is that currently says that a CSS sheet on > > http: can't import an image on file:, etc. > > Heh. Does it affect things like CSP in any way? No idea. Adam? > > That only applies when there's no crossorigin="" attribute, unless I > > made a mistake in the speccing. > > Oh, ok. Sorry. Reading diffs of HTML is a pain. :( Yeah, couldn't agree more. If you have any idea how I can improve this, by the way, let me know. I tried running HTML diff tools for a while, but couldn't find one that actually could handle a 5MB file, and in any case they didn't really make things any more readable than plain text diffs in practice. > Sure. We don't do any sort of "tainting" either, though; we simply > remember the origin of the CSS (where it was actually loaded from, > post-redirect, not the original URI) and do a same-origin check when you > try to use the CSSOM on it. Note that this check is done against the > effective script origin of the script doing the CSSOM access, which may > not actually match the origin of the page the CSS is loaded for, etc. > Not sure whether the tainting setup you describe is equivalent to that, > though I doubt it is. The behaviour called "tainting" in this context in the spec just means "treat as a cross-origin resource" as opposed to "treat as a network failure". The term comes from the first time I introduced crossorigin="", which was for <img>, where the default behaviour of cross-origin images as opposed to same-origin images is that they taint the canvas. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 30 November 2012 03:19:16 UTC