[whatwg] [CORS] WebKit tainting image instead of throwing error

Kenneth Russell kbr at google.com
Tue Oct 4 12:04:18 PDT 2011


On Tue, Oct 4, 2011 at 11:55 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 10/4/11 2:44 PM, Anne van Kesteren wrote:
>>
>> On Tue, 04 Oct 2011 20:32:02 +0200, Ian Hickson <ian at hixie.ch> wrote:
>>>
>>> The idea is that if the server explicitly rejected the CORS request, then
>>> the image should not be usable at all.
>>
>> FWIW, from a CORS-perspective both scenarios are fine. CORS only cares
>> about whether data gets shared in the end.
>
> Displaying images involves sharing data, basically.  That's why we're having
> to jump through all these hoops....

As far as I can tell the tainting behavior WebKit implements is
correct, and is specified by the text in
http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#the-img-element
. Scroll down to step 6 in the algorithm for "When the user agent is
to update the image data...". Note that the "default origin behaviour"
is set to "taint" when fetching images.

-Ken



More information about the whatwg mailing list