[whatwg] Adding crossorigin="" to more elements
bzbarsky at MIT.EDU
Mon Jun 17 04:44:21 PDT 2013
On 6/17/13 6:05 AM, Simon Pieters wrote:
> What's in CSSOM now is "tainting".
Sort of. I think of tainting as "you can write to it but read from it",
but what's in CSSOM is "you can't touch it". I guess the point is that
whether you can touch or not is detected statically at load time?
There needs to be some sort of dynamic check here in practice, since
extensions need to be able to touch these things even if the page can't,
but clearly that's out of scope of this specification.
> It seems like the wrong model to use the effective script origin for
That's possible, yes. The default security checks in Gecko always use
effective script origin; a way to check the origin didn't even exist
until pretty recently. So any security check dating back far enough
always uses the effective script origin...
> Now, the spec could either use tainting or it could compare the origin
> of the style sheet with the origin of the script that tries to access
> it. This would only be different in a case like this
> Since this currently throws in Firefox, it's likely that there isn't a
> big Web compat problem to not support this. I think <canvas> doesn't
> support the equivalent thing, either, per spec (although a <canvas> is a
> bit different in that it can have lots of images drawn on it from
> different origins).
Right, canvas has a tainting model where once you taint it no one can
read from it (modulo extensions) even though they can keep writing to
it, because trying to define an origin for such a thing would involve
having an actual origin lattice in the platform or something along those
In any case, I don't have a huge problem with what's in CSSOM right now
if it better matches what other UAs do. Finding resources to change the
Gecko behavior is another matter. :(
More information about the whatwg