[whatwg] [CORS] WebKit tainting image instead of throwing error
Odin Hørthe Omdal
odinho at opera.com
Thu Oct 6 09:39:49 PDT 2011
On Thu, 06 Oct 2011 18:11:54 +0200, Adam Barth <w3c at adambarth.com> wrote:
>> If they actually want a fallback, they can easily just reload the
>> without crossorigin, and they will probably get the cached image
>> from the browser (because it already has it, only won't show it).
>> Obviously, if there hadn't been a crossOrigin-attribute, this would be
>> nice way to handle all image fetching.
> It sounds like you're arguing that it's better for developers if we
> fail fast and hard, which is the opposite of how most of the web
> platform is design (vis HTML versus XML).
> The arguments revolving around wishful thinking about how the world
> should have been don't carry much weight for me.
Well, you're violating the specification. And this is something quite
different from XML versus HTML.
And also, we're doing the same on XHR. If you set xhr.withCredentials and
the server do allow your origin, but doesn't allow credentials, you just
don't send a request without credentials and hope the author doesn't see
it. That will throw an error.
For new stuff like this, there's no reason being loose. If something
doesn't work in any browser at all, they will fix it, if it works in one,
but not any other they will think all the other browsers are doing
In the spec, you'll get "notified" that your picture won't be tainted, --
in WebKit's implementation it will just crash when you really try.
Anyway, for my part we could've just not had the "crossorigin" attribute
at all, and just send Origin-header to all cross-origin images. But then
everyone needs to do the same thing, and it would apparently also break
some sites (
More information about the whatwg