On Tue, Oct 4, 2011 at 11:55 AM, Boris Zbarsky <[email protected]> wrote: > On 10/4/11 2:44 PM, Anne van Kesteren wrote: >> >> On Tue, 04 Oct 2011 20:32:02 +0200, Ian Hickson <[email protected]> wrote: >>> >>> The idea is that if the server explicitly rejected the CORS request, then >>> the image should not be usable at all. >> >> FWIW, from a CORS-perspective both scenarios are fine. CORS only cares >> about whether data gets shared in the end. > > Displaying images involves sharing data, basically. That's why we're having > to jump through all these hoops....
As far as I can tell the tainting behavior WebKit implements is correct, and is specified by the text in http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html#the-img-element . Scroll down to step 6 in the algorithm for "When the user agent is to update the image data...". Note that the "default origin behaviour" is set to "taint" when fetching images. -Ken
