[whatwg] [CORS] WebKit tainting image instead of throwing error
Boris Zbarsky
bzbarsky at MIT.EDU
Tue Oct 4 14:15:01 PDT 2011
On 10/4/11 4:24 PM, Kenneth Russell wrote:
> I don't think that this is a good argument for the currently specified
> behavior. The server only has the option of declining cross-origin
> access if the application specified the crossorigin attribute.
A server has the option of declining _all_ non CORS request (e.g. all
requests without an Origin header). Servers that care about others
getting at their images should do so. Of course that relies on all UAs
implementing @crossorigin so that servers can require it when linking to
their images... But once we get there, this becomes a quite viable
strategy for the server to avoid leaking their images.
-Boris
More information about the whatwg
mailing list