[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests
jonas at sicking.cc
Fri Mar 13 10:59:18 PDT 2009
On Fri, Mar 13, 2009 at 9:24 AM, Hans Schmucker <hansschmucker at gmail.com> wrote:
> This problem recently became apparent while trying to process a public
> video on tinyvid.tv:
> In article 126.96.36.199 "Security with canvas elements", the origin-clean
> flag is only set depending on an element's origin. However there are
> many scenarios where an image/video may actually be public and
> actively allowing processing on other domains (as indicated by
> Is this an oversight or is there a specific reason why Access Control
> for Cross-Site Requests should not work for Canvas?
I think it's because the majority of the <canvas> spec was developed
before the Access Control spec existed. Or at least before it had the
ability to work on images (originally it only worked on XML data).
More information about the whatwg