[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests

Jonas Sicking jonas at sicking.cc
Fri Mar 13 10:59:18 PDT 2009

On Fri, Mar 13, 2009 at 9:24 AM, Hans Schmucker <hansschmucker at gmail.com> wrote:
> This problem recently became apparent while trying to process a public
> video on tinyvid.tv:
> In article "Security with canvas elements", the origin-clean
> flag is only set depending on an element's origin. However there are
> many scenarios where an image/video may actually be public and
> actively allowing processing on other domains (as indicated by
> Access-Control-Allow-Origin).
> Is this an oversight or is there a specific reason why Access Control
> for Cross-Site Requests should not work for Canvas?

I think it's because the majority of the <canvas> spec was developed
before the Access Control spec existed. Or at least before it had the
ability to work on images (originally it only worked on XML data).

/ Jonas

More information about the whatwg mailing list