[whatwg] [CORS] WebKit tainting image instead of throwing error
Anne van Kesteren
annevk at opera.com
Tue Oct 4 14:25:30 PDT 2011
On Tue, 04 Oct 2011 23:15:01 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> A server has the option of declining _all_ non CORS request (e.g. all
> requests without an Origin header). Servers that care about others
> getting at their images should do so. Of course that relies on all UAs
> implementing @crossorigin so that servers can require it when linking to
> their images... But once we get there, this becomes a quite viable
> strategy for the server to avoid leaking their images.
I think http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html is a
better strategy for achieving that. The advantage being that only changes
on the server are required.
--
Anne van Kesteren
http://annevankesteren.nl/
More information about the whatwg
mailing list