[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests

Jerason Banes jbanes at gmail.com
Fri Mar 13 10:07:35 PDT 2009

I think this is an excellent point. I've been playing with the Chroma-Key
replacement trick demonstrated in FireFox 3.1b3:

For my own experiments, I grabbed a green-screen video from Youtube and
converted it to OGG. If the access control were in place for Canvas, I could
have done direct compositing on an embedded video from TinyVid. Which would
open up some interesting possibilities for video mashups on the web.


On Fri, Mar 13, 2009 at 11:24 AM, Hans Schmucker <hansschmucker at gmail.com>wrote:

> This problem recently became apparent while trying to process a public
> video on tinyvid.tv:
> In article "Security with canvas elements", the origin-clean
> flag is only set depending on an element's origin. However there are
> many scenarios where an image/video may actually be public and
> actively allowing processing on other domains (as indicated by
> Access-Control-Allow-Origin).
> Is this an oversight or is there a specific reason why Access Control
> for Cross-Site Requests should not work for Canvas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090313/5f8c9107/attachment-0002.htm>

More information about the whatwg mailing list