[whatwg] CORS requests for image and video elements

Kenneth Russell kbr at google.com
Tue May 17 15:15:07 PDT 2011

On Tue, May 17, 2011 at 2:52 PM, Glenn Maynard <glenn at zewt.org> wrote:
> On Tue, May 17, 2011 at 5:40 PM, Jonas Sicking <jonas at sicking.cc> wrote:
>> If the "supports credentials" flag is set to false, the request will
>> be made without cookies, and the server may respond with either
>> "Access-Control-Allow-Origin:*" or "Access-Control-Allow-Origin:
>> <origin>".
>> I propose that the latter mode is used as it will make servers easier
>> to configure as they can just add a static header to all their
>> responses.
> This could be specified, eg. <img cors> without credentials and <img
> cors="credentials"> with.  I don't know if there are use cases to justify
> it.

In general I think we need to enable as close behavior to the normal
image fetching code path as possible. For example, a mashup might
require you to be logged in to a site in order to display thumbnails
of movie trailers. If normal image fetches send cookies, then it has
to be possible to send them when doing a CORS request. I like the idea
of <img cors> vs. <img cors="credentials">.


More information about the whatwg mailing list