[whatwg] Canvas and drawWindow
Boris Zbarsky
bzbarsky at MIT.EDU
Fri Mar 11 09:25:59 PST 2011
On 3/11/11 11:56 AM, Tab Atkins Jr. wrote:
> I suspect it wouldn't be too difficult to do this better - we can know
> ahead of time whether the window contains any cross-origin resources
> that aren't cleared by CORS.
There are lots of loads that can be cross-origin but aren't subject to
CORS at the moment (so browsers don't track whether they're
cross-origin): images, subframes, backgrounds, fonts all come to mind.
For backgrounds and fonts there's the additional complication that there
are more than two origins involved:
1) The origin of the page.
2) The origin of the stylesheet url the page was trying to load.
3) The origin of the stylesheet.
4) The origin of the url the stylesheet links to.
5) The origin of the font or background.
One could argue that #2 and #4 are not relevant here (though they are in
other contexts at times; e.g. for <script>). That still leaves 1,3,5,
whose interaction would need to be defined.
-Boris
More information about the whatwg
mailing list