[whatwg] CORS requests for image and video elements
ian at hixie.ch
Mon May 23 13:43:02 PDT 2011
On Thu, 19 May 2011, Chris Double wrote:
> On Wed, May 18, 2011 at 1:11 PM, Ian Hickson <ian at hixie.ch> wrote:
> > This is only a first draft, I'm not sure it's perfect. In particular,
> > right now cross-origin media is not allowed at all without this
> > attribute (this is not a new change, but I'm not sure it's what
> > implementations do).
> Last I checked Amazon S3 and other large content serving sites don't
> support CORS. Does this mean a number of existing sites using Amazon S3
> as their backend would break?
The change was backwards-compatible with the previous state of the spec,
so nothing would break if it was working before. However, if browsers
didn't enforce the same-origin check before for <video>, then yes, if
they implemented it now things would break.
I've changed this so that <video> now works like <img>; it doesn't send an
Origin: header by default, taints cross-origin videos but doesn't block
them, and supports the attribute the same way. <track> (the element for
text tracks) doesn't do the tainting thing, it either allows or disallows,
and is controlled by the <video> element's cross-origin="" attribute, so
that you don't have to specify it a dozen times for each media element.
(Same with <source>, it's controlled by the <video> element's
cross-origin="" attribute.) The "Origin:" header for all these cases isn't
sent unless the cross-origin="" attribute is specified. (Previously,
<track> and <video> were specified to include it always.)
On Thu, 19 May 2011, Robert O'Callahan wrote:
> What exactly do you mean by "cross-origin media is not allowed at all"?
> I hope you mean "CORS is not used at all", since obviously image and
> media elements are allowed to load resources cross-origin today, and
> changing that would break the Web.
<img> obviously allows cross-origin access, yes. The spec didn't allow it
for <video>, as it turns out. This is fixed now.
On Fri, 20 May 2011, Gregg Tavares (wrk) wrote:
> How about updating the CORS spec so that a server can send a
> Access-Control-Allow-Origin: *
> header even when not specifically requested and the browser can then
> allow those resource to be used cross-origin where otherwise they
> This would mean sites like picasa and flickr could just add that static
> string to their headers and things would just work, no HTML or JS
> changes required, no having to tag images with cross-origin unless
> you're dealing with a really strict server that actually wants to check
We can't allow the "*" mode without the cross-origin="" attribute for the
reasons Jonas posted earlier today, but I've made it support an explicit
cross-origin opt-in, so if you know what domains are going to need it you
can do the opt-in without adding the cross-origin="" attribute everywhere.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg