[whatwg] Canvas and drawWindow

Boris Zbarsky bzbarsky at MIT.EDU
Fri Mar 11 09:25:59 PST 2011

On 3/11/11 11:56 AM, Tab Atkins Jr. wrote:
> I suspect it wouldn't be too difficult to do this better - we can know
> ahead of time whether the window contains any cross-origin resources
> that aren't cleared by CORS.

There are lots of loads that can be cross-origin but aren't subject to 
CORS at the moment (so browsers don't track whether they're 
cross-origin): images, subframes, backgrounds, fonts all come to mind.

For backgrounds and fonts there's the additional complication that there 
are more than two origins involved:

1)  The origin of the page.
2)  The origin of the stylesheet url the page was trying to load.
3)  The origin of the stylesheet.
4)  The origin of the url the stylesheet links to.
5)  The origin of the font or background.

One could argue that #2 and #4 are not relevant here (though they are in 
other contexts at times; e.g. for <script>).  That still leaves 1,3,5, 
whose interaction would need to be defined.


More information about the whatwg mailing list