[whatwg] Adding crossorigin="" to more elements

Boris Zbarsky bzbarsky at MIT.EDU
Mon Jun 17 04:44:21 PDT 2013


On 6/17/13 6:05 AM, Simon Pieters wrote:
> What's in CSSOM now is "tainting".

Sort of.  I think of tainting as "you can write to it but read from it", 
but what's in CSSOM is "you can't touch it".  I guess the point is that 
whether you can touch or not is detected statically at load time?

There needs to be some sort of dynamic check here in practice, since 
extensions need to be able to touch these things even if the page can't, 
but clearly that's out of scope of this specification.

> It seems like the wrong model to use the effective script origin for
> stylesheets

That's possible, yes.  The default security checks in Gecko always use 
effective script origin; a way to check the origin didn't even exist 
until pretty recently.  So any security check dating back far enough 
always uses the effective script origin...

> Now, the spec could either use tainting or it could compare the origin
> of the style sheet with the origin of the script that tries to access
> it. This would only be different in a case like this

Yes, agreed.

> Since this currently throws in Firefox, it's likely that there isn't a
> big Web compat problem to not support this. I think <canvas> doesn't
> support the equivalent thing, either, per spec (although a <canvas> is a
> bit different in that it can have lots of images drawn on it from
> different origins).

Right, canvas has a tainting model where once you taint it no one can 
read from it (modulo extensions) even though they can keep writing to 
it, because trying to define an origin for such a thing would involve 
having an actual origin lattice in the platform or something along those 
lines.  ;)

In any case, I don't have a huge problem with what's in CSSOM right now 
if it better matches what other UAs do.  Finding resources to change the 
Gecko behavior is another matter.  :(

-Boris




More information about the whatwg mailing list