[whatwg] [CORS] WebKit tainting image instead of throwing error

Boris Zbarsky bzbarsky at MIT.EDU
Tue Oct 4 14:15:01 PDT 2011

On 10/4/11 4:24 PM, Kenneth Russell wrote:
> I don't think that this is a good argument for the currently specified
> behavior. The server only has the option of declining cross-origin
> access if the application specified the crossorigin attribute.

A server has the option of declining _all_ non CORS request (e.g. all 
requests without an Origin header).  Servers that care about others 
getting at their images should do so.  Of course that relies on all UAs 
implementing @crossorigin so that servers can require it when linking to 
their images...  But once we get there, this becomes a quite viable 
strategy for the server to avoid leaking their images.


More information about the whatwg mailing list