[whatwg] Adding crossorigin="" to more elements
Ian Hickson
ian at hixie.ch
Thu Nov 29 18:44:30 PST 2012
On Thu, 29 Nov 2012, Boris Zbarsky wrote:
> >
> > Anyway, this is somewhat moot to me because it'll all have to be
> > defined by whatever spec it is that currently says that a CSS sheet on
> > http: can't import an image on file:, etc.
>
> Heh. Does it affect things like CSP in any way?
No idea. Adam?
> > That only applies when there's no crossorigin="" attribute, unless I
> > made a mistake in the speccing.
>
> Oh, ok. Sorry. Reading diffs of HTML is a pain. :(
Yeah, couldn't agree more. If you have any idea how I can improve this, by
the way, let me know. I tried running HTML diff tools for a while, but
couldn't find one that actually could handle a 5MB file, and in any case
they didn't really make things any more readable than plain text diffs in
practice.
> Sure. We don't do any sort of "tainting" either, though; we simply
> remember the origin of the CSS (where it was actually loaded from,
> post-redirect, not the original URI) and do a same-origin check when you
> try to use the CSSOM on it. Note that this check is done against the
> effective script origin of the script doing the CSSOM access, which may
> not actually match the origin of the page the CSS is loaded for, etc.
> Not sure whether the tainting setup you describe is equivalent to that,
> though I doubt it is.
The behaviour called "tainting" in this context in the spec just means
"treat as a cross-origin resource" as opposed to "treat as a network
failure". The term comes from the first time I introduced crossorigin="",
which was for <img>, where the default behaviour of cross-origin images as
opposed to same-origin images is that they taint the canvas.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list