[whatwg] File based permission files?

Ian Hickson ian at hixie.ch
Wed Jun 13 14:27:18 PDT 2012

On Wed, 25 Apr 2012, Tyler Larson wrote:
> While working with the canvas tag when you want to edit pixel data 
> within an image loaded from another server you need to have these images 
> served from a web server with cross origin resource sharing headers. 
> http://www.w3.org/TR/cors/
> This means every web server around the internet will need to be 
> reconfigured to output these headers for each asset they want to give 
> access to. As you can see from threads like this 
> https://forums.aws.amazon.com/thread.jspa?threadID=34281 host don't want 
> to change the way they serve files. Reconfiguring most web servers is 
> out of the question for a majority of situations.

This provides a competitive environment where hosting providers can cater 
to authors who need CORS headers.

> The flash player has similar security concerns, you can not load an 
> image from another server and edit its pixel information without a 
> crossdomain.xml file. This system has been in place so long that most 
> companies have these files already in place and are usually giving 
> access to all assets on their servers.
> http://www.google.com/crossdomain.xml
> http://www.apple.com/crossdomain.xml
> http://www.yahoo.com/crossdomain.xml
> http://www.adobe.com/crossdomain.xml

Given the number of security problems this has caused, I do not think we 
should go down this route.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list