[whatwg] [CORS] WebKit tainting image instead of throwing error
Ian Hickson
ian at hixie.ch
Tue Oct 4 15:34:17 PDT 2011
On Tue, 4 Oct 2011, Kenneth Russell wrote:
>
> The server only has the option of declining cross-origin access if the
> application specified the crossorigin attribute. A hostile application
> would simply not specify that attribute, would receive the tainted
> image, and would use the timing attack I assume you're referring to to
> infer the alpha channel.
A server can avoid that problem by simply not returning the image in that
case.
> The far more common case today is that the server doesn't understand the
> CORS request, not that it explicitly forbids cross-origin access to the
> resource.
If it doesn't understand the request, there's no point adding the
attribute in the first place.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list