[whatwg] Adding crossorigin="" to more elements

[Ian Hickson]

On Thu, 29 Nov 2012, Boris Zbarsky wrote:
> > 
> > Anyway, this is somewhat moot to me because it'll all have to be 
> > defined by whatever spec it is that currently says that a CSS sheet on 
> > http: can't import an image on file:, etc.
> 
> Heh.  Does it affect things like CSP in any way?

No idea. Adam?


> > That only applies when there's no crossorigin="" attribute, unless I 
> > made a mistake in the speccing.
> 
> Oh, ok.  Sorry.  Reading diffs of HTML is a pain.  :(

Yeah, couldn't agree more. If you have any idea how I can improve this, by 
the way, let me know. I tried running HTML diff tools for a while, but 
couldn't find one that actually could handle a 5MB file, and in any case 
they didn't really make things any more readable than plain text diffs in 
practice.


> Sure.  We don't do any sort of "tainting" either, though; we simply 
> remember the origin of the CSS (where it was actually loaded from, 
> post-redirect, not the original URI) and do a same-origin check when you 
> try to use the CSSOM on it.  Note that this check is done against the 
> effective script origin of the script doing the CSSOM access, which may 
> not actually match the origin of the page the CSS is loaded for, etc. 
> Not sure whether the tainting setup you describe is equivalent to that, 
> though I doubt it is.

The behaviour called "tainting" in this context in the spec just means 
"treat as a cross-origin resource" as opposed to "treat as a network 
failure". The term comes from the first time I introduced crossorigin="", 
which was for <img>, where the default behaviour of cross-origin images as 
opposed to same-origin images is that they taint the canvas.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'