On Fri, Apr 23, 2010 at 9:43 AM, Charles Pritchard <ch...@jumis.com> wrote: >> For what it's worth, we consider enablePrivilege to be a horrible >> solution for basically any involved party (browser developer, user, >> and website author), and we're in the process of removing it. So >> saying that anything is like enablePrivilege is not a good argument :) >> >> / Jonas >> > > Thanks for clarifying > > Has there been progress on enabling Canvas origin-clean with > Cross-Origin Resource Sharing?
No. > Currently, a CROS-enabled XMLHttpRequest result must be serialized > in base64 then load it into an <img> tag. > > Cross-Origin Resource Sharing: > http://www.w3.org/TR/cors/ One solution is to simply use CORS together with XMLHttpRequest as you point out. Though it's definitely not smooth. Alternatively, it would be possible to use CORS together with <img>, such that if the response to an <img> request contains the appropriate CORS headers then tainting would not occur when imported into a canvas. This would require changes to both HTML and to CORS, but not too bad. And the result is significantly better as it doesn't require the user to get involved and decide what's safe and what's not. I suggest you approach things from this direction instead. / Jonas