On 10/4/11 3:04 PM, Kenneth Russell wrote:
As far as I can tell the tainting behavior WebKit implements is
correct, and is specified by the text in
http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#the-img-element
. Scroll down to step 6 in the algorithm for "When the user agent is
to update the image data...". Note that the "default origin behaviour"
is set to "taint" when fetching images.
"default origin behavior" is only relevant when the mode is "No CORS".
See
http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#potentially-cors-enabled-fetch
So for images it only applies when the "crossorigin" attribute is not set.
So no, WebKit's implementation is not correct if you were trying to
implement the spec.
In particular, if "crossorigin" is set, you end up at
http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#potentially-cors-enabled-fetch
step 3 item 1 in the 'If mode is "Anonymous" or "Use Credentials"'
section, which is exactly what was cited in the mail that started this
thread.
-Boris
