[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests
Anne van Kesteren
annevk at opera.com
Sun Mar 15 13:29:21 PDT 2009
On Sun, 15 Mar 2009 20:45:17 +0100, Hans Schmucker
<hansschmucker at gmail.com> wrote:
> Thank you Anne, but I think this has to be dealt with primarily inside
> the HTML5 spec.
Yes, hence me using the word "aside"...
> The Access Control spec is already pretty clear on how
> things are supposed to work on the server and from the server to the
> client and it's probably mostly enough to say that "Image and Video
> elements in addition to cross-origin linking also allow for
> cross-origin use as described in Cross-Origin Resource Sharing".
No, currently you actually have to state which algorithm you use in CORS
and how. Otherwise CORS does not apply (at least not from a specification
> Me and Chris actually assumed it would work that way until we tried it.
> The main question for me (aside from the question if
> image/video/canvas elements should retain all necessary information to
> check for valid origins that are allowed access again or just be
> marked "standard"/"public") is where to put it in the spec. It's an
> issue that applies to pretty much anything that allows access to the
> raw data (which is just canvas now, but nobody knows what the future
> will bring) and to make matters worse its nature not only requires
> changes to canvas itself, but also to the elements that are drawable,
> like img or video. So to me it would make the most sense to put this
> as far away as possible from Canvas and make it more into a generic
> item how DOM elements are supposed to hold data about cross origin
> headers. Then the canvas description would need virtually no changed
> beyond "obeys cross-origin rules for pixel access".
That does sound nice yes.
Anne van Kesteren
More information about the whatwg