[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests
Hans Schmucker
hansschmucker at gmail.com
Fri Mar 13 09:24:23 PDT 2009
This problem recently became apparent while trying to process a public
video on tinyvid.tv:
In article 4.8.11.3 "Security with canvas elements", the origin-clean
flag is only set depending on an element's origin. However there are
many scenarios where an image/video may actually be public and
actively allowing processing on other domains (as indicated by
Access-Control-Allow-Origin).
Is this an oversight or is there a specific reason why Access Control
for Cross-Site Requests should not work for Canvas?
More information about the whatwg
mailing list