On Fri, Apr 23, 2010 at 5:56 PM, Anne van Kesteren <ann...@opera.com> wrote: > On Sat, 24 Apr 2010 04:04:57 +0900, Jonas Sicking <jo...@sicking.cc> wrote: >> >> This would require changes to both HTML and to CORS, but not too bad. >> And the result is significantly better as it doesn't require the user >> to get involved and decide what's safe and what's not. > > What changes to CORS would be required? It is designed to make this "just > work" so if anything is wrong I'd like to know. Specifically the "resource > sharing check" is what HTML would use here.
Ah, I see that CORS doesn't require the network connection to be aborted even when the "cross-origin request status" reaches "network error". So it does indeed seem like all that's needed is for HTML to say that CORS should be used while fetching the image, and that if the resulting "cross-origin request status" is "success", then tainting doesn't happen when said image is drawn into a canvas. / Jonas
