On Thu, 06 Oct 2011 17:05:29 +0200, Adam Barth <w...@adambarth.com> wrote:
The reason it's implemented like that is because I didn't add any new
security checks. I just expanded the canvas taint-checking code to
understand that a CORS-approved image could pass.
w.r.t. to blocking the whole image, there isn't any security benefit
for doing so (if we did so, attackers would just omit the crossorigin
attribute). If you want to prevent folks from embedding the image,
you need something that works regardless of how the image was
requested (like From-Origin).
You mean WebKit does not support the crossorigin attribute at all? That is
how I envisioned CORS to work for <img>.
--
Anne van Kesteren
http://annevankesteren.nl/
