[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests

Anne van Kesteren annevk at opera.com
Sun Mar 15 13:29:21 PDT 2009

On Sun, 15 Mar 2009 20:45:17 +0100, Hans Schmucker  
<hansschmucker at gmail.com> wrote:
> Thank you Anne, but I think this has to be dealt with primarily inside
> the HTML5 spec.

Yes, hence me using the word "aside"...

Anyway, ...

> The Access Control spec is already pretty clear on how
> things are supposed to work on the server and from the server to the
> client and it's probably mostly enough to say that "Image and Video
> elements in addition to cross-origin linking also allow for
> cross-origin use as described in Cross-Origin Resource Sharing".

No, currently you actually have to state which algorithm you use in CORS  
and how. Otherwise CORS does not apply (at least not from a specification  

> Me and Chris actually assumed it would work that way until we tried it.
> The main question for me (aside from the question if
> image/video/canvas elements should retain all necessary information to
> check for valid origins that are allowed access again or just be
> marked "standard"/"public") is where to put it in the spec. It's an
> issue that applies to pretty much anything that allows access to the
> raw data (which is just canvas now, but nobody knows what the future
> will bring) and to make matters worse its nature not only requires
> changes to canvas itself, but also to the elements that are drawable,
> like img or video. So to me it would make the most sense to put this
> as far away as possible from Canvas and make it more into a generic
> item how DOM elements are supposed to hold data about cross origin
> headers. Then the canvas description would need virtually no changed
> beyond "obeys cross-origin rules for pixel access".

That does sound nice yes.

Anne van Kesteren

More information about the whatwg mailing list