[whatwg] CORS requests for image and video elements

Ian Hickson ian at hixie.ch
Mon May 23 13:43:02 PDT 2011

On Thu, 19 May 2011, Chris Double wrote:
> On Wed, May 18, 2011 at 1:11 PM, Ian Hickson <ian at hixie.ch> wrote:
> > This is only a first draft, I'm not sure it's perfect. In particular, 
> > right now cross-origin media is not allowed at all without this 
> > attribute (this is not a new change, but I'm not sure it's what 
> > implementations do).
> Last I checked Amazon S3 and other large content serving sites don't 
> support CORS. Does this mean a number of existing sites using Amazon S3 
> as their backend would break?

The change was backwards-compatible with the previous state of the spec, 
so nothing would break if it was working before. However, if browsers 
didn't enforce the same-origin check before for <video>, then yes, if 
they implemented it now things would break.

I've changed this so that <video> now works like <img>; it doesn't send an 
Origin: header by default, taints cross-origin videos but doesn't block 
them, and supports the attribute the same way. <track> (the element for 
text tracks) doesn't do the tainting thing, it either allows or disallows, 
and is controlled by the <video> element's cross-origin="" attribute, so 
that you don't have to specify it a dozen times for each media element. 
(Same with <source>, it's controlled by the <video> element's 
cross-origin="" attribute.) The "Origin:" header for all these cases isn't 
sent unless the cross-origin="" attribute is specified. (Previously, 
<track> and <video> were specified to include it always.)

On Thu, 19 May 2011, Robert O'Callahan wrote:
> What exactly do you mean by "cross-origin media is not allowed at all"? 
> I hope you mean "CORS is not used at all", since obviously image and 
> media elements are allowed to load resources cross-origin today, and 
> changing that would break the Web.

<img> obviously allows cross-origin access, yes. The spec didn't allow it 
for <video>, as it turns out. This is fixed now.

On Fri, 20 May 2011, Gregg Tavares (wrk) wrote:
> How about updating the CORS spec so that a server can send a
>    Access-Control-Allow-Origin: *
> header even when not specifically requested and the browser can then 
> allow those resource to be used cross-origin where otherwise they 
> wouldn't
> This would mean sites like picasa and flickr could just add that static 
> string to their headers and things would just work, no HTML or JS 
> changes required, no having to tag images with cross-origin unless 
> you're dealing with a really strict server that actually wants to check 
> credentials.

We can't allow the "*" mode without the cross-origin="" attribute for the 
reasons Jonas posted earlier today, but I've made it support an explicit 
cross-origin opt-in, so if you know what domains are going to need it you 
can do the opt-in without adding the cross-origin="" attribute everywhere.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list