[whatwg] [CORS] WebKit tainting image instead of throwing error

Boris Zbarsky bzbarsky at MIT.EDU
Tue Oct 4 11:50:30 PDT 2011


On 10/4/11 2:32 PM, Odin Hørthe Omdal wrote:
> WebKit, on the other hand, only taints the image and loads it anyway,
> breaking the spec.

File a bug on them please?  The idea of CORS is that CORS-using requests 
stop making the harmful distinction between ability to embed and ability 
to read.  That's why CORS had to be opt-in for images.  If WebKit is not 
implenenting this properly, they just need to fix their code...

And in particular an <img crossorigin> that's in the DOM and fails the 
CORS checks should not render the image on the page.  Anything else is 
just broken.

-Boris



More information about the whatwg mailing list