[whatwg] [CORS] WebKit tainting image instead of throwing error

Kenneth Russell kbr at google.com
Tue Oct 4 13:24:12 PDT 2011

On Tue, Oct 4, 2011 at 12:11 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> "default origin behavior" is only relevant when the mode is "No CORS". See
> So for images it only applies when the "crossorigin" attribute is not set.
> So no, WebKit's implementation is not correct if you were trying to
> implement the spec.
> In particular, if "crossorigin" is set, you end up at
> step 3 item 1 in the 'If mode is "Anonymous" or "Use Credentials"'
> which is exactly what was cited in the mail that started this thread.

Right, I see now. Sorry.

On Tue, Oct 4, 2011 at 12:10 PM, Ian Hickson <ian at hixie.ch> wrote:

> On Tue, 4 Oct 2011, Anne van Kesteren wrote:
> > On Tue, 04 Oct 2011 20:32:02 +0200, Ian Hickson <ian at hixie.ch> wrote:
> > > The idea is that if the server explicitly rejected the CORS request,
> > > then the image should not be usable at all.
> >
> > FWIW, from a CORS-perspective both scenarios are fine. CORS only cares
> > about whether data gets shared in the end. One advantage I can see about
> > <img crossorigin> still displaying the image is that the request does
> > not use cookies. Not displaying the image probably makes debugging
> > easier however.
> On Tue, 4 Oct 2011, Boris Zbarsky wrote:
> >
> > Displaying images involves sharing data, basically.  That's why we're
> > having to jump through all these hoops....
> On Tue, 4 Oct 2011, Anne van Kesteren wrote:
> >
> > Sure, but not more than per usual. Note that if you do not specify the
> > crossorigin attribute the image can still get untainted. And if it does
> > not you would still display the image (as always).
> The thing is that you can grab the image data (at least the alpha channel
> using 2D canvas) from these images, even with tainting enabled, so if the
> server says no, we really should honour it.

I don't think that this is a good argument for the currently specified
behavior. The server only has the option of declining cross-origin access if
the application specified the crossorigin attribute. A hostile application
would simply not specify that attribute, would receive the tainted image,
and would use the timing attack I assume you're referring to to infer the
alpha channel.

The far more common case today is that the server doesn't understand the
CORS request, not that it explicitly forbids cross-origin access to the

It seems to me that tainting the image if the CORS check fails is more
graceful behavior, but I also see the advantages in early error reporting.

Odin, if you file a bug on bugs.webkit.org, would you CC my email address?


On Tue, 4 Oct 2011, Boris Zbarsky wrote:
> >
> > And in particular an <img crossorigin> that's in the DOM and fails the
> > CORS checks should not render the image on the page.  Anything else is
> > just broken.
> Agreed.
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list