This problem recently became apparent while trying to process a public video on tinyvid.tv:
In article 4.8.11.3 "Security with canvas elements", the origin-clean flag is only set depending on an element's origin. However there are many scenarios where an image/video may actually be public and actively allowing processing on other domains (as indicated by Access-Control-Allow-Origin). Is this an oversight or is there a specific reason why Access Control for Cross-Site Requests should not work for Canvas?
