[whatwg] CORS requests for image and video elements

[Kenneth Russell]

Last week, a proof of concept of a previously theoretical timing
attack against WebGL was published which allows theft of cross-domain
images' content.

To address this vulnerability it appears to be necessary to ban the
use of cross-domain images and videos in WebGL. Unfortunately, doing
so will prevent entire classes of applications from being written, and
break a not insignificant percentage of current applications.

We would like to use CORS to solve this problem; if the server grants
access to the image or video, WebGL can use it. Initial discussions
with image hosting services have been positive, and it seems that CORS
support could be enabled fairly quickly. Many such services already
support other access control mechanisms such as Flash's
crossdomain.xml. Unfortunately, experimentation indicates that it is
not possible to simply send CORS' Origin header with every HTTP GET
request for images; some servers do not behave properly when this is
done.

We would like to propose adding a new Boolean property, useCORS, to
HTMLImageElement and HTMLMediaElement, defaulting to false. If set to
true, then HTTP requests sent for these elements will set the Origin
header from the page's URL. If the Access-Control-Allow-Origin header
in the response grants access, then the content's origin will be
treated as the same as the page's.

Perhaps an API could also be added to find out whether the server
granted CORS access to the resulting media, though this is less
important. (Note that the canvas element does not have an explicit API
for querying the origin-clean flag.)

Thoughts on this proposal? We would like to decide on a path quickly
so that we can update both specs and implementations.

Thanks,

-Ken