On Sun, 15 Mar 2009 20:45:17 +0100, Hans Schmucker
<[email protected]> wrote:
Thank you Anne, but I think this has to be dealt with primarily inside
the HTML5 spec.
Yes, hence me using the word "aside"...
Anyway, ...
The Access Control spec is already pretty clear on how
things are supposed to work on the server and from the server to the
client and it's probably mostly enough to say that "Image and Video
elements in addition to cross-origin linking also allow for
cross-origin use as described in Cross-Origin Resource Sharing".
No, currently you actually have to state which algorithm you use in CORS
and how. Otherwise CORS does not apply (at least not from a specification
standpoint).
Me and Chris actually assumed it would work that way until we tried it.
The main question for me (aside from the question if
image/video/canvas elements should retain all necessary information to
check for valid origins that are allowed access again or just be
marked "standard"/"public") is where to put it in the spec. It's an
issue that applies to pretty much anything that allows access to the
raw data (which is just canvas now, but nobody knows what the future
will bring) and to make matters worse its nature not only requires
changes to canvas itself, but also to the elements that are drawable,
like img or video. So to me it would make the most sense to put this
as far away as possible from Canvas and make it more into a generic
item how DOM elements are supposed to hold data about cross origin
headers. Then the canvas description would need virtually no changed
beyond "obeys cross-origin rules for pixel access".
That does sound nice yes.
--
Anne van Kesteren
http://annevankesteren.nl/
