[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests

Hans Schmucker hansschmucker at gmail.com
Sat Mar 14 06:00:14 PDT 2009


Doesn't that kind of defeat the purpose of access control to have fine
grained control over who is allowed access? Public resources are a
quick fix for most scenarios that I can imagine, but I think using
patterns would appear more consistent and logical to most users. It
may not be terribly useful, but it would avoid a few embarassing
moments for people who use access control.

On 3/14/09, Robert O'Callahan <robert at ocallahan.org> wrote:
> On Sat, Mar 14, 2009 at 12:53 PM, Hans Schmucker
> <hansschmucker at gmail.com>wrote:
>
>> Question is: what would be the best way to fix it? Of course the spec
>> could be changed for video and image, but wouldn't it be simpler to
>> update the defintion of origins to include patterns that can represent
>> allow rules?
>>
>
> I don't think changing the definition of origins is the right way to go. It
> seems better to define a category of "public" resources, specify that a
> resource served with "Access-Control-Allow-Origin: *" is "public", and have
> <canvas.> treat public resources specially.
>
> Rob
> --
> "He was pierced for our transgressions, he was crushed for our iniquities;
> the punishment that brought us peace was upon him, and by his wounds we are
> healed. We all, like sheep, have gone astray, each of us has turned to his
> own way; and the LORD has laid on him the iniquity of us all." [Isaiah
> 53:5-6]
>



More information about the whatwg mailing list