[whatwg] Canvas 2D Context Proposal: resetOriginClean

Jonas Sicking jonas at sicking.cc
Fri Apr 23 12:04:57 PDT 2010


On Fri, Apr 23, 2010 at 9:43 AM, Charles Pritchard <chuck at jumis.com> wrote:
>> For what it's worth, we consider enablePrivilege to be a horrible
>> solution for basically any involved party (browser developer, user,
>> and website author), and we're in the process of removing it. So
>> saying that anything is like enablePrivilege is not a good argument :)
>>
>> / Jonas
>>
>
> Thanks for clarifying
>
> Has there been progress on enabling Canvas origin-clean with
> Cross-Origin Resource Sharing?

No.

> Currently, a CROS-enabled XMLHttpRequest result must be serialized
> in base64 then load it into an <img> tag.
>
> Cross-Origin Resource Sharing:
> http://www.w3.org/TR/cors/

One solution is to simply use CORS together with XMLHttpRequest as you
point out. Though it's definitely not smooth.

Alternatively, it would be possible to use CORS together with <img>,
such that if the response to an <img> request contains the appropriate
CORS headers then tainting would not occur when imported into a
canvas.

This would require changes to both HTML and to CORS, but not too bad.
And the result is significantly better as it doesn't require the user
to get involved and decide what's safe and what's not.

I suggest you approach things from this direction instead.

/ Jonas


More information about the whatwg mailing list