[whatwg] [CORS] WebKit tainting image instead of throwing error

Anne van Kesteren annevk at opera.com
Thu Oct 6 08:16:53 PDT 2011

On Thu, 06 Oct 2011 17:05:29 +0200, Adam Barth <w3c at adambarth.com> wrote:
> The reason it's implemented like that is because I didn't add any new
> security checks.  I just expanded the canvas taint-checking code to
> understand that a CORS-approved image could pass.
> w.r.t. to blocking the whole image, there isn't any security benefit
> for doing so (if we did so, attackers would just omit the crossorigin
> attribute).  If you want to prevent folks from embedding the image,
> you need something that works regardless of how the image was
> requested (like From-Origin).

You mean WebKit does not support the crossorigin attribute at all? That is  
how I envisioned CORS to work for <img>.

Anne van Kesteren

More information about the whatwg mailing list