[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] Proposed change to WebGL spec section 4.2 (Security Origin Restrictions)





On Tue, Oct 5, 2010 at 12:22 AM, Vladimir Vukicevic <vladimir@mozilla.com> wrote:


----- Original Message -----

> Does CORS like stuff apply to images so a server can declare
> images from it are usable by any domain?

CORS does/can, though I don't know if any browser interprets it correctly that way.  I have no idea what we do in Firefox; we have a generic same-origin checking path for two resources, so it's possible that it might "just work".

I'd really like to get finer-grained same origin control in canvas, but I don't think doing it in webgl/webgl spec is the right place to do it.  You can make the same argument for canvas 2d (e.g. clearing the canvas should result in it being origin clean again, but it doesn't).  So while I'm in favor of the functionality, I don't think we should look at doing anything webgl-specific to get it for now.

Agreed. There wouldn't be anything WebGL specific. The proposal related to CORS is that stuff a server says is okay to use does not mark a canvas as non origin clean and similarly would not taint WebGL textures. Should probably discuss that part on the whatwg list or something.

 

   - Vlad