How about adding file based permission files? While working with the canvas tag when you want to edit pixel data within an image loaded from another server you need to have these images served from a web server with cross origin resource sharing headers. http://www.w3.org/TR/cors/
This means every web server around the internet will need to be reconfigured to output these headers for each asset they want to give access to. As you can see from threads like this https://forums.aws.amazon.com/thread.jspa?threadID=34281 host don't want to change the way they serve files. Reconfiguring most web servers is out of the question for a majority of situations. The flash player has similar security concerns, you can not load an image from another server and edit its pixel information without a crossdomain.xml file. This system has been in place so long that most companies have these files already in place and are usually giving access to all assets on their servers. http://www.google.com/crossdomain.xml http://www.apple.com/crossdomain.xml http://www.yahoo.com/crossdomain.xml http://www.adobe.com/crossdomain.xml It took a lot of convincing to get these files in place and this was just adding a single file. Changing the way that people configure there file servers is simply out of the question in relation to the conversations I have had with people. I would think at minimum we need a way to do file based permissions. The format of the document could be per file or per domain or uri but what might be even better than coming up with a new standard might be to use the one that is already in place. How about just using these crossdomain.xml files. Here is adobe's spec http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html Microsofts supports crossdomain.xml files for some of their technologies http://msdn.microsoft.com/en-us/library/cc197955(v=vs.95).aspx Java supports it also http://www.oracle.com/technetwork/java/javase/plugin2-142482.html#CROSSDOMAINXML I'm sure there are other technologies as well but I'm sorry I don't have links.
