On Tue, 4 Oct 2011, Kenneth Russell wrote: > > The server only has the option of declining cross-origin access if the > application specified the crossorigin attribute. A hostile application > would simply not specify that attribute, would receive the tainted > image, and would use the timing attack I assume you're referring to to > infer the alpha channel.
A server can avoid that problem by simply not returning the image in that case. > The far more common case today is that the server doesn't understand the > CORS request, not that it explicitly forbids cross-origin access to the > resource. If it doesn't understand the request, there's no point adding the attribute in the first place. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
