[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests

Hans Schmucker hansschmucker at gmail.com
Fri Mar 13 09:24:23 PDT 2009

This problem recently became apparent while trying to process a public
video on tinyvid.tv:

In article "Security with canvas elements", the origin-clean
flag is only set depending on an element's origin. However there are
many scenarios where an image/video may actually be public and
actively allowing processing on other domains (as indicated by

Is this an oversight or is there a specific reason why Access Control
for Cross-Site Requests should not work for Canvas?

More information about the whatwg mailing list