[whatwg] [CORS] WebKit tainting image instead of throwing error

Kenneth Russell kbr at google.com
Tue Oct 4 12:04:18 PDT 2011

On Tue, Oct 4, 2011 at 11:55 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 10/4/11 2:44 PM, Anne van Kesteren wrote:
>> On Tue, 04 Oct 2011 20:32:02 +0200, Ian Hickson <ian at hixie.ch> wrote:
>>> The idea is that if the server explicitly rejected the CORS request, then
>>> the image should not be usable at all.
>> FWIW, from a CORS-perspective both scenarios are fine. CORS only cares
>> about whether data gets shared in the end.
> Displaying images involves sharing data, basically.  That's why we're having
> to jump through all these hoops....

As far as I can tell the tainting behavior WebKit implements is
correct, and is specified by the text in
. Scroll down to step 6 in the algorithm for "When the user agent is
to update the image data...". Note that the "default origin behaviour"
is set to "taint" when fetching images.


More information about the whatwg mailing list