[whatwg] [CORS] WebKit tainting image instead of throwing error

Anne van Kesteren annevk at opera.com
Tue Oct 4 11:44:23 PDT 2011

On Tue, 04 Oct 2011 20:32:02 +0200, Ian Hickson <ian at hixie.ch> wrote:
> The idea is that if the server explicitly rejected the CORS request, then
> the image should not be usable at all.

FWIW, from a CORS-perspective both scenarios are fine. CORS only cares  
about whether data gets shared in the end. One advantage I can see about  
<img crossorigin> still displaying the image is that the request does not  
use cookies. Not displaying the image probably makes debugging easier  

Anne van Kesteren

More information about the whatwg mailing list