[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests

Hans Schmucker hansschmucker at gmail.com
Fri Mar 13 09:24:23 PDT 2009


This problem recently became apparent while trying to process a public
video on tinyvid.tv:

In article 4.8.11.3 "Security with canvas elements", the origin-clean
flag is only set depending on an element's origin. However there are
many scenarios where an image/video may actually be public and
actively allowing processing on other domains (as indicated by
Access-Control-Allow-Origin).

Is this an oversight or is there a specific reason why Access Control
for Cross-Site Requests should not work for Canvas?



More information about the whatwg mailing list