[whatwg] [CORS] WebKit tainting image instead of throwing error

Anne van Kesteren annevk at opera.com
Tue Oct 4 14:25:30 PDT 2011

On Tue, 04 Oct 2011 23:15:01 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> A server has the option of declining _all_ non CORS request (e.g. all  
> requests without an Origin header).  Servers that care about others  
> getting at their images should do so.  Of course that relies on all UAs  
> implementing @crossorigin so that servers can require it when linking to  
> their images...  But once we get there, this becomes a quite viable  
> strategy for the server to avoid leaking their images.

I think http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html is a  
better strategy for achieving that. The advantage being that only changes  
on the server are required.

Anne van Kesteren

More information about the whatwg mailing list