[whatwg] CORS requests for image and video elements

Jonas Sicking jonas at sicking.cc
Fri May 20 19:48:15 PDT 2011

On Fri, May 20, 2011 at 10:46 AM, Gregg Tavares (wrk) <gman at google.com> wrote:
> How about updating the CORS spec so that a server can send a
>    Access-Control-Allow-Origin: *
> header even when not specifically requested and the browser can then
> allow those resource to be used cross-origin where otherwise they
> wouldn't
> This would mean sites like picasa and flickr could just add that
> static string to their headers and things would just work, no HTML
> or JS changes required, no having to tag images with cross-origin
> unless you're dealing with a really strict server that actually wants
> to check credentials.

When we designed CORS we very intentionally did not want to allow
"allow *" rules for resources that are loaded with user credentials
(most significantly cookies). The reason was that we did not want
people to repeat the mistakes that happened when flash's cross-site
loading technology was deployed. Many sites added a "allow *" rule to
all their resources, thus accidentally leaking all user data to any
site that the user visited.

So to fix this in CORS, we only allow "allow *" rules for requests
loaded without user credentials.

However <img> elements by default make requests with user credentials.
Changing that, even for just cross-site loads, would likely break the

/ Jonas

More information about the whatwg mailing list